Arguing against using public IP space
Michael Sinatra
michael at rancid.berkeley.edu
Tue Nov 15 19:27:58 UTC 2011
On 11/13/11 07:36, Jason Lewis wrote:
> I don't want to start a flame war, but this article seems flawed to
> me. It seems an IP is an IP.
>
> http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-use-public-routable-ip-addresses-by-default.html
>
> I think I could announce private IP space, so doesn't that make this
> argument invalid? I've always looked at private IP space as more of a
> resource and management choice and not a security feature.
Really, the article doesn't make much sense. The claim is that SCADA
systems come with "public IP addresses by default" and that SCADA
engineers are too ignorant of Internet security practices to know to
re-configure them. First, the ignorance factor goes right back to the
two axioms I mentioned in my reply to Bill. If you aren't paying
attention, then you don't have security, regardless of which IP address
space you use.
Second, there's the point that the SCADA systems come with public IP
addresses by default. So what? The article incorrectly confuses
"public" IP addresses with "routable" IP addresses. As an example, when
I worked in the College of Chemistry at UC Berkeley, there was a lab
with NMR machines that all came with public IP addresses by
default--those of the manufacturer. Of course, since the manufacturer
was in Germany, and we were in the US those IP addresses weren't
routable in our network. Are SCADA systems similarly configured? The
article doesn't say if the manufacturers pre-configure addresses within
the client's IP blocks or their own, or even 1.2.3.0/24.
If the manufacturer went to the trouble of configuring the system on
routable IP addresses, then the SCADA engineer can easily specify which
set of addresses. If the manufacturer really does configure "public" IP
addresses "by default" then it's unlikely that those "public" IP
addresses are actually _routable_ on the network which is using the
SCADA system.
Oh, and the article treats RFC1918 and RFC4193 is equivalent, which is
WRONG WRONG WRONG!
michael
More information about the NANOG
mailing list