DoD IP Space

• Previous message (by thread): DoD IP Space
• Next message (by thread): DoD IP Space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- On Jan 20, 2021, at 6:58 AM, j k <jsklein at gmail.com> wrote: 

Hi,

> My question becomes, what level of risk are these companies taking on by using
> the DoD ranges on their internal networks? And have they quantified the costs
> of this outage against moving to IPv6?

Not so long ago, while working for a large enterprise, my team was considering
the use of non-advertised public IP space when we realized we were close to 
running out of RFC1918 space. Eventually we decided against it as we had enough
options to reclaim unused RFC1918 from within the company. However, we had a
number of arguments against the use of public ranges:

- The risk of owners deciding to advertise their space. If so, since we operated
  a popular ecommerce site, there would be a huge risk of users encountering
  issues.
- The risk of inadvertent security issues. People using RFC1918 space, even the
  most network-illiterate dev, know that RFC1918 space is not accessible from
  the big bad internet. This (perceived) safety is absent when using public
  IP space.
- The risk of misconfiguring firewalls. Obviously, most of the policies cover
  RFC1918 space. Introducing non-RFC1918 space encourages human error.
- The risk of looking like fools if we would accidentally leak. Let's be honest.
  There are two groups of people on this list. Those who have accidentally leaked
  and those who will. I learned from my mistake(s).

As for IPv6: I know I sound like a broken record but one does not simply walk
into Mordor and migrate to IPv6. In a large enterprise, especially with one
using a lot of old code to support a highly popular webapp, it is easier to 
move a mountain than it is to get all nosed aligned. The network group(s),
corp, lab, DC, backbone, may all be ready, but that does not mean that your
cloud, kubernetes, frontend, backend, operations, and billing groups are
ready. Migrating to IPv6 is a cost, as there is no ROI. It is a cost center,
not an investment. Surely, we all on this list know that it is a mandatory
expense to ensure future delivery of services, but explain that to a VP with
limited budgets. Are they going for the short term win of new features, or for
the long term "win" of retaining revenue? We all know what their bonuses are
based on.

And don't get me wrong. I'm not advocating against v6. I'm merely explaining how
difficult it can be to migrate. In most large companies, the network is like 
PG&E (the power utility California). If it works, nobody says well done. But if
the power is out, everyone gets angry and asks why we have fools operating the
power grid. 

Thanks, 

Sabri

• Previous message (by thread): DoD IP Space
• Next message (by thread): DoD IP Space
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]