DoD IP Space
Sabri Berisha
sabri at cluecentral.net
Wed Jan 20 20:16:26 UTC 2021
----- On Jan 20, 2021, at 6:58 AM, j k <jsklein at gmail.com> wrote:
Hi,
> My question becomes, what level of risk are these companies taking on by using
> the DoD ranges on their internal networks? And have they quantified the costs
> of this outage against moving to IPv6?
Not so long ago, while working for a large enterprise, my team was considering
the use of non-advertised public IP space when we realized we were close to
running out of RFC1918 space. Eventually we decided against it as we had enough
options to reclaim unused RFC1918 from within the company. However, we had a
number of arguments against the use of public ranges:
- The risk of owners deciding to advertise their space. If so, since we operated
a popular ecommerce site, there would be a huge risk of users encountering
issues.
- The risk of inadvertent security issues. People using RFC1918 space, even the
most network-illiterate dev, know that RFC1918 space is not accessible from
the big bad internet. This (perceived) safety is absent when using public
IP space.
- The risk of misconfiguring firewalls. Obviously, most of the policies cover
RFC1918 space. Introducing non-RFC1918 space encourages human error.
- The risk of looking like fools if we would accidentally leak. Let's be honest.
There are two groups of people on this list. Those who have accidentally leaked
and those who will. I learned from my mistake(s).
As for IPv6: I know I sound like a broken record but one does not simply walk
into Mordor and migrate to IPv6. In a large enterprise, especially with one
using a lot of old code to support a highly popular webapp, it is easier to
move a mountain than it is to get all nosed aligned. The network group(s),
corp, lab, DC, backbone, may all be ready, but that does not mean that your
cloud, kubernetes, frontend, backend, operations, and billing groups are
ready. Migrating to IPv6 is a cost, as there is no ROI. It is a cost center,
not an investment. Surely, we all on this list know that it is a mandatory
expense to ensure future delivery of services, but explain that to a VP with
limited budgets. Are they going for the short term win of new features, or for
the long term "win" of retaining revenue? We all know what their bonuses are
based on.
And don't get me wrong. I'm not advocating against v6. I'm merely explaining how
difficult it can be to migrate. In most large companies, the network is like
PG&E (the power utility California). If it works, nobody says well done. But if
the power is out, everyone gets angry and asks why we have fools operating the
power grid.
Thanks,
Sabri
More information about the NANOG
mailing list