Sign in to follow this  
Followers 0
thomag

External ip addresses on LAN

25 posts in this topic

I have a customer who has set up their internal network and assigned a range of external ip addresses to their PCs and servers. I have told them repeatedly that they have to switch to internal addresses (10.x.y.z or 172.16.y.z - 172.31.y.x or 192.168.y.z) but they are not treating it as a priority, even though their network performance is poor - they just throw faster hardware at it.

 

Can anyone point me to an authoritative source that shows the consequences of their behaviour please?

Share this post


Link to post
Share on other sites

any company that's been hacked in the last few years? :rofl:

Share this post


Link to post
Share on other sites

If they own the range they're assigning they'll be fine. Depending on what they need to do it can be a benefit that the computers are directly accessible from the internet (without the need to set up forwarding etc).

 

If they don't own the range and just picked something (and are still behind NAT), they'll start running into issues the moment they have to reach the actual computers in that range/their subnet.

Share this post


Link to post
Share on other sites

Do they own this address space? They are free to do with their address space what they want. Now if they just pulled some public address space out of thin air and using it - this is bad practice to be sure.

Sorry Jason but using public address space on your network does not mean its open to attack. Now if there is no firewall between these public IPs and the wild west of the internet you have issues. But using rfc1918 space does not mean their network is not at risk from being "hacked' ;)

Again your not going to find "an authoritative source" that says using rfc1918 space is a requirement, because its NOT.. if they have the IP space registered to them, and they want to use it on any network they control and manage that is up to them.

I am of the camp that public address space should be use in public facing networks only, ie dmz, etc.. I don't see the point of using it say on workstations for example. But there is nothing against this practice, etc.

1 person likes this

Share this post


Link to post
Share on other sites

Do they own this address space? No. They just picked a range of numbers at random. As you can guess, the guy who did it has 'moved on' and the person who took over does not see that they are doing anything wrong. I just want to point them at something that will convince him to get it fixed.

Share this post


Link to post
Share on other sites

Sorry Jason but using public address space on your network does not mean its open to attack. Now if there is no firewall between these public IPs and the wild west of the internet you have issues. But using rfc1918 space does not mean their network is not at risk from being "hacked' ;)

youre right - i was just assuming there was no firewall in place.

Share this post


Link to post
Share on other sites

You have your answer in what you quoted ;) You might want to fix that.

Well I would look up who owns the address space or what address is it it - what do the first couple of octets start with?

You could hope it was something from a major player and then try and access their website or services would be good reason for them to move off it.

While pretty much anyone in networking will tell you pulling address space out of thin air is bad practice, or reusing others space that you feel you would never use, etc. There is no LAW that says you can not do it. As long as you don't advertise that network you not own out to the public net as a route to that network. You can use whatever you want to on your internal network.

Its just bad practice to do so. And any networking person that has to work on that network is going to be thinking in the back of his head - whoever setup this network was an idiot ;) heheheeh

2 people like this

Share this post


Link to post
Share on other sites

It wouldn't really affect network "performance" per se. But yeah they can do what they want IF they own the address space. You find some of the early adopters of Class A Ranges do this, Especially big Uni's. NAT'ing isnt mandatory. But they would least need a firewall on their if they don't expect to get at least scanned daily!!....

Share this post


Link to post
Share on other sites

If they own the range they're assigning they'll be fine. Depending on what they need to do it can be a benefit that the computers are directly accessible from the internet (without the need to set up forwarding etc).

 

If they don't own the range and just picked something (and are still behind NAT), they'll start running into issues the moment they have to reach the actual computers in that range/their subnet.

 

It's more likely for the ISP to own the range and to have assigned it to their connection than for them to own the range directly.

 

It is possible to be directly assigned a range from the regional registry, but generally this is only done for companies who need their own IP space in order to announce it to multiple carriers for redundancy reasons or are themselves an ISP.

Share this post


Link to post
Share on other sites

Would depend on the size of the company.. But the OP already stated the previous guy, I am reluctant to use the word tech or admin in reference to someone that would do that ;) Just pulled it out of his derriere.

Share this post


Link to post
Share on other sites

How are you determining that they are using 'public' addresses?

 

You can assign whatever you want locally and your router/firewall figures it out. Usually you choose a range that doesn't overlap with public addressing, but that doesn't have to be the case.

Share this post


Link to post
Share on other sites

How are you determining that they are using 'public' addresses?

 

You can assign whatever you want locally and your router/firewall figures it out. Usually you choose a range that doesn't overlap with public addressing, but that doesn't have to be the case.

 

Anything that isn't within the following ranges 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 would usually be a "public" address, 

Share this post


Link to post
Share on other sites

Anything that isn't within the following ranges 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 would usually be a "public" address,

Of course. Keyword is usually. Theres not really a reason you can't use whatever you want, especially if you've got a double NAT situation like most Comcast business users do.

Share this post


Link to post
Share on other sites

I have a customer who has set up their internal network and assigned a range of external ip addresses to their PCs and servers. I have told them repeatedly that they have to switch to internal addresses (10.x.y.z or 172.16.y.z - 172.31.y.x or 192.168.y.z) but they are not treating it as a priority, even though their network performance is poor - they just throw faster hardware at it.

 

Can anyone point me to an authoritative source that shows the consequences of their behaviour please?

As it was already mentioned there are no problem using external IP's as long as they own the range. We own four /24 external IP range and we're using it at some locations. I know some VERY big companies in Sweden that are using ONLY external IP's.

Share this post


Link to post
Share on other sites

Keep in mind as ipv6 takes over, your going to see public ip space on all devices. At some point the rfc1918 space will no longer be used and all ipv4 space will be gone as well.

Again while I agree that public ipv4 should be reserved for public facing devices that serve the public space, if they want public ipv4 on their printer/scanner in the office that is up to them.

Do they have something else wrong with the addresses, where a renumber would just be logical thing to do. Like user or dept vlans/segments with infrastructure on another, wireless isolated to its own network, etc. etc.. Or is it just one flat network using some pull out of the air addresses - again what is the first 2 octets? Is it reserved space or pubic? Now if they were using multicast addressing then we would have an argument for sure, etc..

Share this post


Link to post
Share on other sites

yeah pretty much all ip space in the US would be administered by ARIN. What are the first 2 octets for example my isp connection is 24.13.x.x which you can look up is owned by comcast

NetRange: 24.12.0.0 - 24.15.255.255

CIDR: 24.12.0.0/14

NetName: ILLINOIS-14

CustName: Comcast Cable Communications

IP space is broken up by region ARIN, RIPE, LACNIC, APNIC and AFRINIC

Share this post


Link to post
Share on other sites

They are using 172.0.y.z

Share this post


Link to post
Share on other sites

They are using 172.0.y.z

 

Guarantee that it was just set up non-standard and they aren't using 'public' addresses. They are just using addresses that aren't considered local only. Probably they had a 172.16.x.x network and had a problem or wanted a different sub for some reason so the previous guy switched to 172.0.y.y. Not really a big deal. They do have a router/firewall in place, correct? If you go to whatismyip.com or just google 'what is my ip' from one of their computers, what do you get?

Share this post


Link to post
Share on other sites

As it was already mentioned there are no problem using external IP's as long as they own the range. We own four /24 external IP range and we're using it at some locations. I know some VERY big companies in Sweden that are using ONLY external IP's.

Well that's just got damn greedy. You have ISPs who struggle to get pools of IPv4 so they implement CG-NAT which detriments the whole internet and then there's huge companies with all workstations on public IPs. Atrocious if you ask me.

They are using 172.0.y.z

I sense your border router getting very confused here. Hows the network even set-up? Are the ones on those IP ranges split up with sub-interfaces? 

Share this post


Link to post
Share on other sites

I don't know any further details. I supply application software to them and am trying to convince them to use one of the standard internal address ranges in the hope that it will improve their network performance.

The original question I asked was if someone knew of a web site that I could point them to that would convince them to take this seriously and resolve it rather than leave it on the 'to do' list.

Share this post


Link to post
Share on other sites

I don't know any further details. I supply application software to them and am trying to convince them to use one of the standard internal address ranges in the hope that it will improve their network performance.

The original question I asked was if someone knew of a web site that I could point them to that would convince them to take this seriously and resolve it rather than leave it on the 'to do' list.

Why are you trying to convience them to change from using external IP to internal? I have never seen a website that advice of using internal IP's. As stated before in this thread, there is no harm in using external IP's, if they own the range then no problem of using them at all but if they don't own it then that is a big mistake. You can tell them this.

Share this post


Link to post
Share on other sites

I don't know any further details. I supply application software to them and am trying to convince them to use one of the standard internal address ranges in the hope that it will improve their network performance.

The original question I asked was if someone knew of a web site that I could point them to that would convince them to take this seriously and resolve it rather than leave it on the 'to do' list.

Just google anything to do with RFC 1918. Even show them the RFC if you wan't because it's the official standard for IP address ranges internally. That should be as forceful really, the official standard on how to do it.

 

RFC 1918:

http://tools.ietf.org/html/rfc1918

Share this post


Link to post
Share on other sites

NetRange: 172.0.0.0 - 172.15.255.255

CIDR: 172.0.0.0/12

OriginAS: AS7132

OrgName: AT&T Internet Services

That network is owned by AT&T ;) so its quite possible that some att services on the public internet would not work if they wanted to access them, because to their machines that network is local.

Share this post


Link to post
Share on other sites

Hello,

 

Back when I was working at a VoIP hardware manufacturer, I came across a customer who did something similar.  They set up their internal LAN with something like 168.192.x.x.  Most services worked, and the few that didn't they had workarounds for (e.g., have the other party intiate a connection, host the meeting, etc.).  They eventually had to fix it when their SIP server/B2BUA wouldn't work, as it was routing all their calls to some other part of the world.

 

Regards,

 

Aryeh Goretsky

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.