Arguing against using public IP space

Jay Hennigan jay at west.net
Sun Nov 13 17:51:13 CST 2011


On 11/13/11 7:36 AM, Jason Lewis wrote:
> I don't want to start a flame war, but this article seems flawed to
> me.  It seems an IP is an IP.
>
> http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-use-public-routable-ip-addresses-by-default.html
>
> I think I could announce private IP space, so doesn't that make this
> argument invalid?

You could announce it.  I wouldn't expect anyone else to listen to those 
announcements other than for the purpose of ridiculing you.

> I've always looked at private IP space as more of a
> resource and management choice and not a security feature.

It depends.

Case 1:  If the SCADA vendors are configuring units with non-RFC1918 IP 
space in live customer installations, and these installations aren't 
ever in any way connected to the public Internet, then there isn't any 
real operational problem.  It smacks of carelessness/cluelessness on the 
part of both the vendor and the IT staff of the customer who accepted 
the configuration, but nothing is operationally broken.

Case 2:  Same as above, but the SCADA network is connected to the 
Internet behind a NAT at the customer location.  Again careless and 
clueless.  And should anything on that network need to access resources 
on the Internet within the space configured on the SCADA system it won't 
work.  The vendor/customer have broken reachability to some part of the 
public Internet for that system.  Whether there is a security risk 
depends on the configuration of the NAT firewall and whether and how how 
the SCADA system opens connections outbound and what vulnerabilities 
exist in its systems if it does.  No more security risk than the same 
situation using RFC1918 space.

Case 3:  Same as case 2 but without the NAT.  Pretty much the same 
result.  The SCADA system won't be reachable from the outside because 
the customer's provider won't route those addresses to the customer. 
Packets sourced to the Internet from the SCADA aren't likely to get very 
far.  Even more broken/stupid than the other scenarios but not likely to 
be much of a security risk in terms of exposure to the Internet.

Case 4:  SCADA vendor asks customer for a subnet of public IP space 
allocated to the customer and installs the SCADA system directly on the 
Internet.  From an RFC standpoint, nothing is broken.  From a security 
standpoint, without appropriate firewalls, a very bad idea.

So, yes, it's a dumb idea.  The degree of dumbness depends.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV



More information about the NANOG mailing list