Cookie-Cutter Networks with Duplicate IP Ranges

deanwebb · August 26, 2019, 09:50:48 AM

LOCAL IT MANAGER: We're using 192.168.100.0/24 at every site as the local manufacturing line network. It's non-routable.

ENGINEER: Well, we need to make those routable so the vendor can do maintenance on the equipment on the production line.

LOCAL IT MANAGER: Oh, OK. You can make it routable. Just be sure to permit the traffic on the firewall, so we'll be good to go.

ENGINEER: Well, to make it routable, we need to change the IP range being used.

LOCAL IT MANAGER: Re-IP all the devices? Well, we can put it to the change committee for discussion ahead of the next available change window.

ENGINEER: That's the December change window this year?

LOCAL IT MANAGER: No, we have that full up with other work. This would have to wait until December *next* year.

ENGINEER:

***

What's *your* story about those duplicate IP ranges that aren't supposed to be routable? I got more stories because of NAC... $:-\$

Otanx · August 26, 2019, 11:45:04 AM

Customer reused address space for all their /30s. So you would hit NYC-R1, and it would have 192.168.1.1/30, 192.168.1.5/30, and 192.158.1.9/30 on the interfaces. Go to CHI-R1, and find 192.168.1.1/30, 192.168.1.5/30. Go to MIA-R1, and it had 192.168.1.1/30, 192.168.1.5/30, 192.168.1.9/30. They figured those addresses were "link-local" so they didn't care if you could reach them remotely or not. Everything used loop backs for management stuff. When I asked about it they said it was to conserve address space. Apparently at some point all the links were in public space, they did this to save space. No clue if that was ever fixed or not.

Kind of similar to Mr. Webb's story. This is on a very specialized piece of hardware. The management interface for this system is hard coded to a specific /24. You can change the last octet, but not the rest. Also no default gateway is configured. They never expected anyone would want to manage the system remotely. Last I talked to them they didn't plan on changing this because their biggest customer didn't care.

Last one. A vendor used real public IPs on the back plane of their device. These IPs do not belong to them. If you try to connect to these box from one of these IPs it will not respond as it tries to respond on the local internal interface. You have to add a /32 route to the IPs you want to be reachable externally, and only if those IPs aren't actually in use internally on the box. Originally I think they had an entire /16 on this (maybe a /8). Newer releases have it down to a /28 which they then leased from the real owner of the space. I complained originally because we had a customer in the original space. That is why they moved it to a /28. I tried to point out 127.0.0.0/8 was a really good space to use for this, but they didn't care. While we waited for a fix I was doing a source NAT on traffic for this box so our customer could access it. I just checked after I wrote this. The most current software actually uses 169.254 space. So much better.

-Otanx

deanwebb · August 27, 2019, 09:41:53 AM

169.254? That's the Microsoft "I can't get a real IP, so I'll just make one up" address range.

Otanx · August 27, 2019, 10:30:47 AM

169.254/16 is actually defined in RFC 3927 as link-local address space. So an internal isolated network is a valid use for the space. Microsoft is just the most visible use of this space, and in this instance is actually doing the right thing, and following RFC.

-Otanx

icecream-guy · August 27, 2019, 12:54:36 PM

techhies call that APIPA

wintermute000 · August 27, 2019, 05:18:13 PM

Just use IPv6. You could build a totally new address range, with hookers! and Blackjack!

(ducks)

Dieselboy · August 28, 2019, 12:09:18 AM

Is it wrong for me to be gleaning security ideas from this thread?

deanwebb · August 28, 2019, 07:49:48 AM

Quote from: Dieselboy on August 28, 2019, 12:09:18 AM
Is it wrong for me to be gleaning security ideas from this thread?

Not at all, as long as you share them.

deanwebb · August 28, 2019, 07:50:21 AM

Quote from: wintermute000 on August 27, 2019, 05:18:13 PM
Just use IPv6. You could build a totally new address range, with hookers! and Blackjack!

(ducks)

Your ideas intrigue me, and I would like to subscribe to your newsletter...

Otanx · August 28, 2019, 10:39:05 AM

IPv6? I haven't even started rolling out IPv5 yet. I should get busy with that instead of posting here.

-Otanx

icecream-guy · August 28, 2019, 10:57:15 AM

Quote from: Otanx on August 28, 2019, 10:39:05 AM
IPv6? I haven't even started rolling out IPv5 yet. I should get busy with that instead of posting here.

-Otanx

you should jump ahead and start rolling out IPv8, See RFC 1621 to get started.

a real eye opener..

deanwebb · August 28, 2019, 12:28:53 PM

I got a short way into RFC 1621 when I saw the requirement for a server to broker transactions... I'm now on the fence between "intrigued" and "WTF!"...

Dieselboy · August 28, 2019, 08:05:25 PM

I wouldnt worry about IPv6 too much. This whole `internet` thing is just a fad. It will soon pass and we can get on with our lives.

icecream-guy · August 29, 2019, 06:09:01 AM

Quote from: Dieselboy on August 28, 2019, 08:05:25 PM
I wouldnt worry about IPv6 too much. This whole `internet` thing is just a fad. It will soon pass and we can get on with our lives.

Will we be able to have our brains uploading into AI? Join the collective? So we can have instant access to everything?, and unlimited life span?

deanwebb · August 29, 2019, 10:36:00 AM

Quote from: ristau5741 on August 29, 2019, 06:09:01 AM
Quote from: Dieselboy on August 28, 2019, 08:05:25 PM
I wouldnt worry about IPv6 too much. This whole `internet` thing is just a fad. It will soon pass and we can get on with our lives.

Will we be able to have our brains uploading into AI? Join the collective? So we can have instant access to everything?, and unlimited life span?

I'm going to need some SLAs defined before I upload my employees into the collective. Also DLP in place.