Jump to content



Photo

External ip addresses on LAN

external ip lan

  • Please log in to reply
24 replies to this topic

#1 thomag

thomag

    Neowinian

  • Joined: 10-March 11

Posted 23 July 2014 - 13:52

I have a customer who has set up their internal network and assigned a range of external ip addresses to their PCs and servers. I have told them repeatedly that they have to switch to internal addresses (10.x.y.z or 172.16.y.z - 172.31.y.x or 192.168.y.z) but they are not treating it as a priority, even though their network performance is poor - they just throw faster hardware at it.

 

Can anyone point me to an authoritative source that shows the consequences of their behaviour please?




#2 Jason S.

Jason S.

    Neowinian Senior

  • Tech Issues Solved: 6
  • Joined: 01-September 03
  • Location: Cleveland, Ohio

Posted 23 July 2014 - 14:01

any company that's been hacked in the last few years? :rofl:



#3 Ambroos

Ambroos

    Neowinian Senior

  • Tech Issues Solved: 7
  • Joined: 16-January 06
  • Location: Belgium
  • OS: Windows 7 + 8.1
  • Phone: Sony Xperia Z2

Posted 23 July 2014 - 14:11

If they own the range they're assigning they'll be fine. Depending on what they need to do it can be a benefit that the computers are directly accessible from the internet (without the need to set up forwarding etc).

 

If they don't own the range and just picked something (and are still behind NAT), they'll start running into issues the moment they have to reach the actual computers in that range/their subnet.



#4 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 23 July 2014 - 14:14

Do they own this address space? They are free to do with their address space what they want. Now if they just pulled some public address space out of thin air and using it - this is bad practice to be sure.

Sorry Jason but using public address space on your network does not mean its open to attack. Now if there is no firewall between these public IPs and the wild west of the internet you have issues. But using rfc1918 space does not mean their network is not at risk from being "hacked' ;)

Again your not going to find "an authoritative source" that says using rfc1918 space is a requirement, because its NOT.. if they have the IP space registered to them, and they want to use it on any network they control and manage that is up to them.

I am of the camp that public address space should be use in public facing networks only, ie dmz, etc.. I don't see the point of using it say on workstations for example. But there is nothing against this practice, etc.

#5 OP thomag

thomag

    Neowinian

  • Joined: 10-March 11

Posted 23 July 2014 - 14:23

Do they own this address space? No. They just picked a range of numbers at random. As you can guess, the guy who did it has 'moved on' and the person who took over does not see that they are doing anything wrong. I just want to point them at something that will convince him to get it fixed.



#6 Jason S.

Jason S.

    Neowinian Senior

  • Tech Issues Solved: 6
  • Joined: 01-September 03
  • Location: Cleveland, Ohio

Posted 23 July 2014 - 14:27

Sorry Jason but using public address space on your network does not mean its open to attack. Now if there is no firewall between these public IPs and the wild west of the internet you have issues. But using rfc1918 space does not mean their network is not at risk from being "hacked' ;)

youre right - i was just assuming there was no firewall in place.



#7 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 23 July 2014 - 14:31

You have your answer in what you quoted ;) You might want to fix that.

Well I would look up who owns the address space or what address is it it - what do the first couple of octets start with?

You could hope it was something from a major player and then try and access their website or services would be good reason for them to move off it.

While pretty much anyone in networking will tell you pulling address space out of thin air is bad practice, or reusing others space that you feel you would never use, etc. There is no LAW that says you can not do it. As long as you don't advertise that network you not own out to the public net as a route to that network. You can use whatever you want to on your internal network.

Its just bad practice to do so. And any networking person that has to work on that network is going to be thinking in the back of his head - whoever setup this network was an idiot ;) heheheeh

#8 +RedReddington

RedReddington

    member_id=28229

  • Joined: 14-May 03

Posted 23 July 2014 - 14:36

It wouldn't really affect network "performance" per se. But yeah they can do what they want IF they own the address space. You find some of the early adopters of Class A Ranges do this, Especially big Uni's. NAT'ing isnt mandatory. But they would least need a firewall on their if they don't expect to get at least scanned daily!!....



#9 dragon2611

dragon2611

    Neowinian Senior

  • Joined: 30-July 04
  • Location: Somewhere in the UK

Posted 23 July 2014 - 15:17

If they own the range they're assigning they'll be fine. Depending on what they need to do it can be a benefit that the computers are directly accessible from the internet (without the need to set up forwarding etc).

 

If they don't own the range and just picked something (and are still behind NAT), they'll start running into issues the moment they have to reach the actual computers in that range/their subnet.

 

It's more likely for the ISP to own the range and to have assigned it to their connection than for them to own the range directly.

 

It is possible to be directly assigned a range from the regional registry, but generally this is only done for companies who need their own IP space in order to announce it to multiple carriers for redundancy reasons or are themselves an ISP.



#10 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 23 July 2014 - 15:37

Would depend on the size of the company.. But the OP already stated the previous guy, I am reluctant to use the word tech or admin in reference to someone that would do that ;) Just pulled it out of his derriere.

#11 episode

episode

    Neowinian Fanatic

  • Tech Issues Solved: 3
  • Joined: 11-December 01

Posted 23 July 2014 - 15:51

How are you determining that they are using 'public' addresses?

 

You can assign whatever you want locally and your router/firewall figures it out. Usually you choose a range that doesn't overlap with public addressing, but that doesn't have to be the case.



#12 dragon2611

dragon2611

    Neowinian Senior

  • Joined: 30-July 04
  • Location: Somewhere in the UK

Posted 23 July 2014 - 16:03

How are you determining that they are using 'public' addresses?

 

You can assign whatever you want locally and your router/firewall figures it out. Usually you choose a range that doesn't overlap with public addressing, but that doesn't have to be the case.

 

Anything that isn't within the following ranges 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 would usually be a "public" address, 



#13 episode

episode

    Neowinian Fanatic

  • Tech Issues Solved: 3
  • Joined: 11-December 01

Posted 23 July 2014 - 23:36

Anything that isn't within the following ranges 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 would usually be a "public" address,


Of course. Keyword is usually. Theres not really a reason you can't use whatever you want, especially if you've got a double NAT situation like most Comcast business users do.

#14 Walid W.

Walid W.

    I love Orcinus Orca

  • Tech Issues Solved: 3
  • Joined: 19-July 08
  • Location: Lost somewhere in Sweden
  • OS: Ubuntu, Debian, Backtrack 5r, Windows 7 & XP
  • Phone: iPhone 3GS, iPhone 4s & HTC One

Posted 24 July 2014 - 08:33

I have a customer who has set up their internal network and assigned a range of external ip addresses to their PCs and servers. I have told them repeatedly that they have to switch to internal addresses (10.x.y.z or 172.16.y.z - 172.31.y.x or 192.168.y.z) but they are not treating it as a priority, even though their network performance is poor - they just throw faster hardware at it.

 

Can anyone point me to an authoritative source that shows the consequences of their behaviour please?

As it was already mentioned there are no problem using external IP's as long as they own the range. We own four /24 external IP range and we're using it at some locations. I know some VERY big companies in Sweden that are using ONLY external IP's.



#15 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 24 July 2014 - 11:18

Keep in mind as ipv6 takes over, your going to see public ip space on all devices. At some point the rfc1918 space will no longer be used and all ipv4 space will be gone as well.

Again while I agree that public ipv4 should be reserved for public facing devices that serve the public space, if they want public ipv4 on their printer/scanner in the office that is up to them.

Do they have something else wrong with the addresses, where a renumber would just be logical thing to do. Like user or dept vlans/segments with infrastructure on another, wireless isolated to its own network, etc. etc.. Or is it just one flat network using some pull out of the air addresses - again what is the first 2 octets? Is it reserved space or pubic? Now if they were using multicast addressing then we would have an argument for sure, etc..