Arguing against using public IP space
jay at west.net
Sun Nov 13 17:51:13 CST 2011
On 11/13/11 7:36 AM, Jason Lewis wrote:
> I don't want to start a flame war, but this article seems flawed to
> me. It seems an IP is an IP.
> I think I could announce private IP space, so doesn't that make this
> argument invalid?
You could announce it. I wouldn't expect anyone else to listen to those
announcements other than for the purpose of ridiculing you.
> I've always looked at private IP space as more of a
> resource and management choice and not a security feature.
Case 1: If the SCADA vendors are configuring units with non-RFC1918 IP
space in live customer installations, and these installations aren't
ever in any way connected to the public Internet, then there isn't any
real operational problem. It smacks of carelessness/cluelessness on the
part of both the vendor and the IT staff of the customer who accepted
the configuration, but nothing is operationally broken.
Case 2: Same as above, but the SCADA network is connected to the
Internet behind a NAT at the customer location. Again careless and
clueless. And should anything on that network need to access resources
on the Internet within the space configured on the SCADA system it won't
work. The vendor/customer have broken reachability to some part of the
public Internet for that system. Whether there is a security risk
depends on the configuration of the NAT firewall and whether and how how
the SCADA system opens connections outbound and what vulnerabilities
exist in its systems if it does. No more security risk than the same
situation using RFC1918 space.
Case 3: Same as case 2 but without the NAT. Pretty much the same
result. The SCADA system won't be reachable from the outside because
the customer's provider won't route those addresses to the customer.
Packets sourced to the Internet from the SCADA aren't likely to get very
far. Even more broken/stupid than the other scenarios but not likely to
be much of a security risk in terms of exposure to the Internet.
Case 4: SCADA vendor asks customer for a subnet of public IP space
allocated to the customer and installs the SCADA system directly on the
Internet. From an RFC standpoint, nothing is broken. From a security
standpoint, without appropriate firewalls, a very bad idea.
So, yes, it's a dumb idea. The degree of dumbness depends.
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service - http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV
More information about the NANOG