Private Address Spaces

Discussion in 'Computer Security' started by Andrew, Jul 9, 2003.

  1. Andrew

    Andrew Guest

    Hi all, just wondering what you companies out there use in the way of ip
    address ranges? we use 98 and 222 ranges class A and class c ...but this
    chap was saying about I really need to use either 10.0.0.0 or 172.16.0.0 or
    192.168.0.0...

    Just wondering what the score is really....is it illegal to use what ever we
    like>?? or do we have to change to satisfy the rules!!

    Andi
     
    Andrew, Jul 9, 2003
    #1
    1. Advertisements

  2. I don't think it's illegal, but that doesn't mean that your ISP is going to
    route it. Since they're not going to route it anyways, you might as well
    use the unrouteable IP blocks and setup NAT on your gateway.
     
    Skylar Thompson, Jul 9, 2003
    #2
    1. Advertisements

  3. Andrew

    Mike Guest

    It's not illegal to use anything you like but the three ranges you
    mention have been set aside for private networks.

    If your network connects to the internet, using anything outside these
    ranges could mean there is more than one machine on the 'net with the
    same IP address. The private IP addresses aren't transmitted over the
    'net so by using them, you not only avoid possible clashes on the 'net,
    you also improve your network's security. If your network isn't
    connected to the internet, these considerations don't apply but, even
    then, it's better to use the private IP addresses so you can easily
    connect to the 'net some time in the future.
     
    Mike, Jul 9, 2003
    #3
  4. Andrew

    Don Kelloway Guest

    I have known plenty of companies who've attempted to use IP addresses
    registered to another company (ahem, I like to refer to these IP's as
    'pirated' IP's). They call to say that they can't figure out why they
    can't connect to some obscure website or why someone at some other company
    can't send them email. <grin>

    The reason is they're using 'pirated' IP's! Let me explain.

    Within a LAN, you're using 98.x.x.x with a 255.0.0.0 subnet mask and at
    some point in time. An employee within the LAN launches their web
    browser, types in www.yada.com and then attempts to visit the website.
    What will happen is that the connection fails because the DNS A record
    resolves to an IP (98.6.1.106) that's supposed to be within the same LAN!
    The fact of the matter is that no one within the LAN will be able to
    establish a connection to an IP that resolves back to the IP's being
    'pirated'. This is the basics of IP routing!

    Now I know what you're thinking. You're probably thinking to yourself
    "Big deal. No one within the LAN will be able to go any IP address that
    resolves back to the same range we're using. We can live with that."
    Well, it's a bit more problematic than that.

    Have you thought about the fact that you're blocking access to 16.5
    million IP's? How about the fact that you'll be blocking access *from*
    16.5 million IP's as well? Yes, I said 'from'. What do I mean? I mean
    that if someone within the 'yada.com' domain wanted to send an email to
    someone within your LAN of 'pirated' IP's. The inbound SMTP connection
    would be blocked at the firewall providing the NAT. I say this because
    most firewalls (if not all) will treat the incoming connection as a
    'spoofing' attempt. IOW the source IP address of the incoming connection
    represents an IP address that the firewall 'knows' to be on the internal,
    protected side.

    So what's the easiest method to fix this nightmare? Simple. Just change
    the first octet of the 98.x.x.x IP address to '10'. That's it! In doing
    this, you've just changed to one of the IP ranges ('10.x.x.x') allocated
    in RFC1918 (see note below) for use with NAT. Granted there may be a need
    to run around and change some servers, but this is truly the only way to
    resolve the issue.

    In closing, I will acknowledge that I may have used what appears to some
    as an extreme example, but it's a legitimate example I've encountered more
    than once.


    Note: You should be using IP addresses from any of the following:

    10.0.0.0 - 10.255.255.255 (10/8 prefix)
    172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
    192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

    For additional information please refer to RFC-1918
    (http://www.faqs.org/rfcs/rfc1918.html)

    --
    Best regards,
    Don Kelloway
    Commodon Communications

    Visit http://www.commodon.com to learn about the "Threats to Your Security
    on the Internet".
     
    Don Kelloway, Jul 9, 2003
    #4
  5. Andrew

    Andrew Guest

    Nice one chaps...thanks for the info!!

    hmmmmm ive had already made up a 192.168...I think I will use a ten address
    too!!

    Cheers

    Andi
     
    Andrew, Jul 9, 2003
    #5
  6. Andrew

    eric w Guest

    aren't they insane for opening their internal lan to the internet or am I
    insane???

    ....eric
     
    eric w, Jul 9, 2003
    #6
  7. Andrew

    Jim Watt Guest

    Yup and they are really naughty boys! I found one of my clients using
    an IP block allocated to Sun. They were told to do it by a 'know it
    all'
     
    Jim Watt, Jul 9, 2003
    #7
  8. Andrew

    James Knott Guest

    Look up RFC 1918. It lists the 3 available address ranges and the reasons
    for use. If you use addresses that are not on that list, you'll have to
    make sure your router does not pass them to the internet and you'll be out
    of luck, if you ever need to connect to the real address.

    Change them to one of the RFC ranges and you'll be a lot happier.

    --

    Fundamentalism is fundamentally wrong.

    To reply to this message, replace everything to the left of "@" with
    james.knott.
     
    James Knott, Jul 9, 2003
    #8
  9. Andrew

    Whoever Guest

    IIRC, Sun shipped early systems configured that way, or they trained
    people to do it that way.. or something that actually tracks back to Sun.
    I assume it was somewhere in the 192.9.0.0 to 192.9.255.255 range?

    Interestingly, Sun seems to have almost all of the above range EXCEPT for
    192.9.200.0 to 192.9.200.255 and 192.9.255.0 to 192.9.255.255
     
    Whoever, Jul 10, 2003
    #9
  10. Andrew

    Whoever Guest

    If the machines using those IP addresses are behind an effective stateful
    firewall, then they are pretty secure. In fact, that is the way the
    Internet was *supposed* to work and it is possible everyone will revert to
    using real IP addresses when IPv6 is in widespread use.

    The presence of NAT routers means that the security of some protocols has
    been compromised in order that people can use those protocols from behind
    NAT routers. It's very difficult to ensure end-to-end security if there
    is a router that is re-writing packets in between the endpoints.
     
    Whoever, Jul 10, 2003
    #10
  11. Andrew

    Don Kelloway Guest

     
    Don Kelloway, Jul 10, 2003
    #11
  12. Andrew

    Jim Watt Guest

    That may have been the thinking, however there were no Sun
    computers involved.
     
    Jim Watt, Jul 10, 2003
    #12
  13. Andrew

    Bernie Guest

    As Don pointed out, there are real problems with this. Yes, you "can"
    use any public IP you want on your private network and use NAT to
    connect to the public network. It will appear to work 99.999% of the
    time too. Yes it is I suppose even legal to do so. However, you are
    stupid to do so because you are going to inevitably cause yourself
    problems...maybe not today or tomorrow, but possibly the next day.

    Suppose you are using 20.x.x.x internally. Suppose you go to a
    website whose DNS resolves to 20.x.x.x. That is, the company that is
    hosting this is the real owner of the 20.x.x.x pool. From your
    perspective the webserver is local, and you will never, ever send the
    packets out to the public network regardless of NAT or anything else.
    The webserver will just appear to be unreachable, and the same admin
    that set up the addressing scheme will be just as clueless in solving
    the "unreachable webserver" problem as he is in proper IP addressing.
    He will just point the finger at the other company's webserver or
    email server or whatever and it will never dawn on him that he is
    causing the problem, not the other company.



    --Bernie
     
    Bernie, Jul 10, 2003
    #13
  14. Andrew

    Don Kelloway Guest


    Bernie,

    Thanks for the reiteration.

    I'd like to also add what was stated in my original reply and this would
    be that no system within the registered 20.x.x.x range on the 'net will be
    able to send traffic to the LAN where the 'pirated' 20.x.x.x range is
    being used.

    In essence the company using the 'pirated' IP's are effectively preventing
    themselves from being able to send to or receive from 16.5 million IP
    addresses. Not a good thing in my book. <grin>

    --
    Best regards,
    Don Kelloway
    Commodon Communications

    Visit http://www.commodon.com to learn about the "Threats to Your Security
    on the Internet".
     
    Don Kelloway, Jul 10, 2003
    #14
  15. Andrew

    Don Kelloway Guest

    "You can use any IP addresses you want as long as you use them PRIVATELY."

    Yes. You could do this, but be prepared to be cursed out by those whose
    LAN you administer when they learn that they cannot send IP traffic (e.g.
    surf websites) to any of 16.5 million IP addresses, nor receive any IP
    traffic (e.g. receive email).

    Certainly not something to expect from someone who administers a LAN with
    Internet connectivity. Especially with the subject involving the basics
    of IP routing.

    --
    Best regards,
    Don Kelloway
    Commodon Communications

    Visit http://www.commodon.com to learn about the "Threats to Your Security
    on the Internet".
     
    Don Kelloway, Jul 10, 2003
    #15
  16. <LURK=off>
    A little dramatic don't you think??

    With variable masking, Plus VRRP / HSRP addressing there is a lot of
    potential dead space there...even if you are correct.
    <LURK=on>

    ;)
    Scott Millington ()
    http://www.haapis.net
    ***
    I want to do something more relaxing -- like dismantle live nuclear
    weapons. - White House press secretary Ari Fleischer

    PS. Nice crossposting
     
    Scott Millington, Jul 10, 2003
    #16
  17. Andrew

    Don Kelloway Guest

    re: dramatics
    Even after it was explained that this is bad thing, someone was still
    under the impression that it's okay so long as NAT is implemented. In
    addition, it has been my experience with the admins who were encountering
    this issue, that most were using /8 subnets. So no. I don't think my
    comment(s) were dramatic. In fact they were quite factually based.

    re: variable masking
    Of course you may reduce the number of IP's that you are preventing access
    to/from, but that only minimizes the issue. The fact remains that the
    issue still exists.

    re: cross-posting
    Unless the groups do not pertain to the scope of the discussion or there
    are more than five or six. I try to refrain from modifying it.
     
    Don Kelloway, Jul 11, 2003
    #17
  18. PLONK

    IT'S JUST LITTLE SCOTT WAGWETS

    you can read little scott here and in the SUNDAY COMICS.
     
    Scott Miillington, Jul 11, 2003
    #18
  19. Andrew

    mchiper Guest

    In alt.computer.security, Msg ID: <djVOa.2918$>
    Don..
    I don't have either the time or the inclination to try to understand
    How anyone cheats..
    All I am interested in doing is to make my ISP responsible for MY security.
    Can you turn this problem on it's head, by moving up ONE layer.
    Who, other than my ISP, has a need to know the IP address that
    my ISP assigns to me?
    Or the email address that they assign to me?

    It's my assertion that the answer is NO ONE, except me and my ISP.

    If you are so inclined, I'm willing to engae you, as a paid
    expert witness, when I bring the bastards to their knees.
    I may settle out of court.
    I may end up driving them into penny stocks.
    Or it could be the mother of all class action suits.
    Care to play?

    Or, tell me I'm wrong?
    Am I NOT just a client on their PVN ?
     
    mchiper, Nov 4, 2003
    #19
  20. Andrew

    mchiper Guest

    In alt.computer.security, Msg ID: <L30Pa.99442$>
    How about a short couse in Network topology.

    My ISP has it's headquarters in NY, and has a National Network.
    How many routers would you guess they use?
    How many addresses does the RFC allow each router to use,
    and still connect to the Internet, safely?
    What is the likelyhood that any one router would run out of addresses
    to assign to the domain they control?

    Refer the following message for a reason to help.

    In alt.computer.security, Msg ID: <>
     
    mchiper, Nov 4, 2003
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.