Using RFC 1918 IP Addresses on Internal Routers?

braek asks: "Our network has expanded to the point that I have about 6 separate network links to remote networks. I would like to avoid using public IP addresses for the routers to conserve my limited global IP addresses, and I don't expect any additional IP's for a while. :( What do you guys think about assigning internal routers a private, RFC 1918 IP address, like 10.0.0.1 or something? (For security, RFC 1918 addressess would be filtered at the border routers.)"

"I am testing this right now, and routing seems to work fine, the only problem I can think of, is when someone does a traceroute, it will show up like:

10   120 ms   131 ms   120 ms  152.63.67.97
11   130 ms   130 ms   131 ms  66.141.21.1
12     *        *        *     Request timed out.
13   130 ms   130 ms   140 ms  66.141.21.185

Hop 12 is the router with the private RFC 1918 address, and I am assuming it is not responding to a traceroute because the IP is not globally routable. However, all the clients behind the router have complete, unabashed network access. What problems may one encounter if implementing this kind of addressing scheme?"

As long as you have just plain connections

[Tairan]

it should be fine. You wont need Inet access on these lines - just plain point to point leased line from your telco. My previous company used to do this. Many other large companies still do. Basically, they provide you with the equivilant to a really long patch cable. I'd suggest setting up all your branch offices to point to a single master office, where your bridge/gateway for inet access is. That way you can filter/proxy/monitor/whatever you want, and still have a secure network

Only one issue

[Xenophon+Fenderson,]

When I traceroute from my Road Runner Pro connection (which uses statically-assigned routable IP addresses), I see at least one 10/8 network:

eco-fs1:~>traceroute -n slashdot.org
traceroute to slashdot.org (64.28.67.150), 30 hops max, 38 byte packets
165.29.199.11.986 ms1.920 ms1.915 ms
210.55.160.111.023 ms11.421 ms10.648 ms
324.29.1.778.931 ms9.818 ms9.734 ms
424.29.1.12910.547 ms10.612 ms9.011 ms
524.29.1.17710.051 ms9.535 ms18.987 ms
...and so forth.

Technically, this is the Wrong Thing. Likewise, your routers should never respond to or generate traffic using RFC 1918 addresses.

Re:Only one issue

[Splork]

My cheapo DSL ISP (telocity, now DirecTVDSL) does this as well.

It's not the wrong thing to do provided, as is the case, my computers never have a need to talk directly to my ISPs intermediate routers and their intermediate routers never have a need to talk directly to my DSL hosts. So it shows up as an actual hop in the traceroute, big deal; you might as well think of it as your packet being tunneled through a cloud of routers running another protocol.

I am still free to use those addresses on my internal network all I want without any problems.

(well sort of, they make http://10.5.1.2/ hit the web interface on their proprietary dsl modem to check status, gather line speed and traffic statistics, etc. but so what; there's 24 million 10/8 addresses)

Re:Only one issue

[anticypher]

I see at least one 10/8 network:
2 10.55.160.1 11.023 ms

Nope. It looks like a 10.55.160.1/30 point to point link between the uBR headend router for your neighborhood and the core routers in Cincinnati. Since the uBR is only collecting traffic and passing it on to the core, it never needs a routable interface, hence RR is doing a technically valid thing.

There is nothing wrong with using an RFC 1918 address for internal links. Many ISPs use them for point to point links to conserve IP use. So what if RR is using a 10 address on one of their internal links? Your packets are still being routed, your traceroute got to /., and you were able to post wrong information :-)

Its not the wrong thing to conserve IPv4 address. Its good practice, every one should be doing it.

Routers should respond to all valid IP addresses, even RFC1918 addresses. What shouldn't be done is to route those packets to the internet. If your border routers are participating in BGP4, then they should be dropping any packets with source or destination matching RFC1918, and should ignore (filter) any route to an RFC1918 net. There are lots of badly configured border routers out there spewing route advertisements for private network ranges, just learn to filter them out, and make sure you filter your own out.

the AC

Re:Only one issue

[matts.nu]

BGP4 has nothing to do with dropping rfc1918 source addresses. BGP4 is used for routing on destination address only, not source address. As the above traceroute showed packets from 10/8 are routed just fine.

For the original poster, you don't need to filter packets with rfc1918 source addresses.

Re:Only one issue

[Yarn]

It's fine, generally, but it can get irritating if you're using the same 1918 addresses internally.

My isp uses 172.16.x 192.168.x and 10.x scattered randomly.

Means my traceroutes take longer than is necessary. Of course, I only traceroute when something's wrong, but it *is* an additional irritation when I'm trying to fix stuff.

Re:Only one issue

[Cato]

There's no problem with using RFC1918 on internal interfaces - however, it would be better to configure the routers so they use a publicly addressable loopback interface as the source address of ICMP packets that they generate. In other words, this would prevent the 10.x address from appearing (and perhaps prevent some paranoid routers from dropping the ICMP packet from that router). Of course, the long term solution is to implement IPv6 before the combined weight of IPv4 workarounds/cruft sinks the Internet...

Pretty standard, really

That should work fine. the drops in the traceroutes are due to the fact that the 10.*/internal network addresses can't reply to the trace through the internet. It makes life easier to troubleshoot if you have real ips however. You may want to consider asking for some more IP addresses if you really, really care.

We do this...

[john@iastate.edu]

One thing to note is if you are using DHCP the forwarded packets will have the 10.x.x.x address (assuming that is the primary address of the router interface).

You'll just need to use the 'shared network' statement (or equivalent if you are not using ISC's dhcpd) to take care of this.

I've done this

[MonMotha]

Caused no problems for me, other than the traceroute issue you mention (since 10.0.0.0/8 is dropped by most internet routers as it's not supposed to ever be there) and windows doesn't like using a router in the subnet other than it's primary IP as a default route. For example, I give my windows box a public IP, but the router is 10.0.0.1 (to conserve an address), I have to go to the command line and add a static route every time I boot up. Note there might be an easier way to do this in NT, but in 9x this seems to be the only way around that problem. Of course in most unices we have startup scripts to do this for us (networking isn't up when autoexec.bat is run under 9x). I guess you might be able to script soemthign to do this under 9x too though (at least I should hope you can).

--MonMotha

Re:I've done this

[penguinboy]

There's more than one place from which to automatically run commands in Windows, after networking has been loaded. Finding these with Google (or other preferred tool) is left as an exercise for the reader.

Re:I've done this

[starslab]

Simple. I've got a fairly unique ARP issue on my network that requires running a script to statically assign MAC addresses on startup. On both 9x and 2K, you should see something in the control panel : "Scheduled Tasks". You can schedule a script to run every time the system starts. Works decently well. You may need to install a fairly recent version of Internet Explorer with the "Offline Browsing" or whatever the hell Microsoft calls it, especially on NT4.

Andrew

Re:I've done this

[jismay]

Don't even bother fooling around with the scheduler. Just make a .bat file that adds the static route (or does anything you want!) and put it in the startup group. Start->startup->*.bat. Nice and simple, with no fuss or muss.

Re:I've done this

[doon]

C:\>route -?

Is your friend, look at the -p option which will make the route persistant accross boots of the system. Doesn't work win Win95 though

so a route -p add should solve your problem nicely :)

Re:I've done this

[starslab]

Wonderful, but it doesen't do jack shit until someone LOGS IN. The scheduler lets you set something to run at SYSTEM STARTUP.

My company does this for the global WAN

[Naikrovek]

All of our corporate offices use 1918 IP's for every single machine in every office, except for mail servers, remote access servers, and the firewall that we all go through to get out to the Internet.

It is possible, and it is a very good idea. If you have a web presence, this can also allow you to easily add a security layer from your datacenter (least trusted) to your office space with internal file servers (most trusted).

Can and Must

[fm6]

It's a mystery to me why this isn't considered mandatory. People sweat blood building firewalls and packet filters and block off port numbers that people need -- and the kiddies still find a way through. Using a private network space is the ultimate access control -- for anyone outside your network, internal machines simply don't exist.

Re:Can and Must

[dragonfly_blue]

Uh... until they compromise an internal host, or internal router, that is. If you think that you can lock down a network simply by using private IP's, think again.

Here is one scenario; compromise a Windows machine on 10.0.0.0/8 by sending it an email with an auto-executing file type. Have that executable run a trojan with an IRC daemon. Have that IRC daemon connect back to a channel where you have channelops.

Once you can issue commands to the shell running on that Windows box inside that network, use the compromised machine to scan every other host on the internal network for vulnerabilities. You can even use port forwarding on the compromised machine to directly attack other hosts, in a fashion similar to having a VPN. Or, you can bootstrap Gnu-style utilities such as CygWin or NT rootkits to turn that Windows machine into a fairly powerful Unix emulator. Take your pick.

The attack vectors available for compromising a host on a private subnet are many; once a host is compromised, the attacker can do whatever they'd like inside your network, "private", or not.

Re:Can and Must

[ryanmoffett]

Not quite. Let's say you compromise a host on the 10/8 network. If it attempts to make an outbound TCP connection to an IRC server, the IRC server will not be able to respond back to the 10/8 host because RFC1918 routes are going to be filtered at some point back to the client and the TCP 3-way handshake won't even complete. UDP attacks in one direction from the client to the public would be possible, but the RFC1918 source address would most likely be caught by an ingress filter at the remote end.

Now, most likely, that 10/8 host gets NAT'd to a public address through a firewall. In this case, the IRC scenario is not only possible, but a real tactic used to get past firewalls. Some, firewalls such as the Cisco PIX make it easy to not care about your outbound traffic, so a client making outbound connections to IRC servers isn't necessary going to even be noticed. This is why you have to implement egress filtering on your firewalls and/or routers to block what your users have access to should they ever get trojaned.

Re:Can and Must

[_ganja_]

What a bunch of arse and it got modded up, *sigh*. Using private address space will stop end systems being reached from outside the network sometimes* but script kiddies generally attack servers anyway. What about systems that need to be reached, ermm lets take /. as an example? If only checkpoint or the ipchains programmers etc had seen your enlightening post before they bothered eh?

*IP contains a method to define a path through a network called source routing, even using private address space it is possible to tell the routers in between how to get to the destination. This method gets around the fact that private address space is not (should not) be held in global routing tables as you tell the router how to get to the destination and not to look it up. Also realise that the fact that a 3rd party, that is *outside* your control, do not carry a route is a not valid security method. Note that turning off source-routing is simple however most admins don't know about it let alone turn it off.

Re:Can and Must

[Bryan+Andersen]

Uh... until they compromise an internal host, or internal router, that is. If you think that you can lock down a network simply by using private IP's, think again.

This is why smart admins only use them as yet another layer in their defense perimiter.

This is asking for trouble (ICMP and stuff)

[bkw]

Since most routers (should!) drop packets from or to non-routable address-space, you might run into problems with MTU-discovery and the like, which are a real bitch to debug. Also things like ECN may break. Somebody's public transfernets in private ip-space gave me headaches more often than not, which is already too much.

I'd advise to choose clever subnetting and NATing of your available space, it will save you and the rest of the net lots of pain, although private space might seem to work smoothly at first. The problems will show up when you least need them, but they will.

Re:This is asking for trouble (ICMP and stuff)

I don't ever recall hearing of a Cisco/Juniper router that drops RFC1918 addresses. Aside from packet filters and border routers, why would any router drop an RFC 1918 address?? One of the more important rules of Network Engineering is address conservation--which includes using RFC1918 addresses wherever possible.

Since the original poster runs his network, I would hope he knows where any packet filters exist that might block these networks. Typically spoofing and RFC 1918 filters are only installed at the border condition and at the DMZ demarc.

I use RFC1918 addresses on thousands of hosts throughout my multi-site network, and have never had a problem. 10.0.0.1 is just as routable as 65.0.0.1.

Also, path MTU discovery is not going to be a problem. For incoming traffic, so long as your WAN connection has a public IP, you can set its inside interface MTU to the smallest MTU on you network, probably ethernet. Besides that, you are _far_ more likely to find that icmp packet-too-big messages are being filtered.

Re:This is asking for trouble (ICMP and stuff)

[bkw]

Jessas Christ, of course I was talking of BORDER-routers explicitly configured to drop rfc1918 packets! Where else would you want to drop them, in the very network that is setup to use them?

Enforcing a mtu at his border router is a neat idea, but if he or anybody else sets up links with a smaller mtu (like tunnels or ppp links) within the rfc1918 net, he will run into problems again and will have to decrease the mtu for the entire network.

A transfer network only takes very few adresses. Conserving IP space is important, but imho the existing space is better used on proper routing than on /8 networks for one single company or mass-hosters burning ips by the /18's and all that stuff that we are still having.

Isn't that what those are for?

[CounterZer0]

I thought that was what the 1918 addresses are for? We use a whole crapload of them (10.*s, 172.16.*, 192.168.*) for both internal/external segregation, as well as additional 'real VLANs'...for example, seperating our storage networks (192.168.10.0) from our 'normal PC net' (10.48.0.0). It works wonderfully!

Unnumbered IP?

[ajvtoo]

If your six separate network links are simple point-to-point links, have you considered using unnumbered IP on these links to free up some IP space?

See http://www.cisco.com/warp/public/701/20.html for some more information.

In and out

[fm6]

Hey, not system is beyond comprimise. Admins who life with that fantasy surely have the least secure systems of all!

But I was comparing the private network approach with the firewall approach. Neither would hold up with an internal system comprimised. Indeed, it's hard imagine a security that would.

Hmm..

[_ganja_]

There isn't really a problem with what you are doing, the only thing I don't really like about doing this is the management aspects when the implimentation gets a little large. More on that in a bit but first, technically, the golden rule here is as long as these addresses are of course unique and stay in your own AS you'd be fine, I'd personally go one further and would keep them only in your IGP just to be safe in case someone screws your bgp filters etc.

I'm a CCIE and been networking 11 years now, 6 with Cisco and I'd only do this is if I really had too and here's why: management of address space. I'm sure (hope) your management of all your public address space is organised and clear. Furthermore nobody would dream of adding a box to the network with a public address without asking you or another admin who would assign one, which case you would go to your speadsheet (or QIP / another tool), allocate one and record the details. With private address space people tend to just add boxes and subnets and pick an address from random out of the air. This is where time consuming issues come about with overlapping address space. If your network is going to stay small and you have full control over all the addresses then you shouldn't have much of a problem but if the network is going to grow a larger, think about the extra admin you might have to do and also if you were to be hit by a bus would the next guy understand it.

You have some cisco semi-hacks to help you out also such as unnumbered links and also note /31 subnets are available in newer IOS revisions. At the end of the day I don't know how large you're network and it's exact design, its your choice at the end of the day, just make sure it won't bite you in the ass in the future.

1918 addressing and when it should be used..

[gkuchera]

The whole purpose of the RFC 1918 "private networks" was to allow companies to connect to the internet without having to have a "registered" ip address for every machine on there network. It was also implemented to help prevent people from grabbing random addresses like 3.0.0.0 and using them for there internal addresses.

Companies will then use the private addresses on there internal networks. This concerves the public addresses for the direct addressing on the internet.

Routers will route anything that they are not speciffically told not to. The general consensis is that you should not route private addresses past your border routers (ie to the outside world). Likewise you can't expect that anyone will be able to get to your machine if it have a private address. ie. 10.1.1.1.

The only people that expressly don't route private addressing are the core internet people. This is done usually done by filtering out these addresses at the edge of each of the large internet providers. Typical firewalls will filter out private addressing as well.

Don't assume just because you are using the private addressing on your network that you are safe. This is simply not true. Generally if you are using private addressing on your internal network there is a router or firewall between you that converts your private address into a registered one(NAT). Someone that is paying attention at this point will figure out that if the core providers filter out the private addresses and if I am on a machine with a private address that I won't be able to go very far on the net(unless there is a address translation inbetween).

There are several ways that NAT's can be assigned one is dynamic (more secure) and one is static. I assure you that if your machine has a statically assigned NAT address and there is no firewall between you and the net that your machine might as well be on the net directly.

Subject: Should isp's use private addressing? Well this is a hard question to answer. If they have a office lan that is behind a firewall that very well could be privatly addressed...

Should they use private addresses on interlink segments. Personally I say no because I really hate it when traceroutes don't return addresses. Although if you want to hide a couple of routers or firewalls in your path it's not a horrible way to do it.

Private networks and security: The only security that private networks provide you is this. If the people that are trying to hack into you are beyond a firewall or provider that filters private networks your are safe until they break into a machine on your network that has registered addresses. Then they have as much access as you network will allow. (note that alot of times this machine may be on your network beyond your defences.

Finally: before you decide to inplement large networks that use private addressing you need to think about who you may be connecting to yourself. On a network each machine must have a unique address for life to be happy. If you have a several thousand host network addressed in the 10.0.0.0 range and your company buys another company that alsi uses the 10.0.0.0 range of addressing life can get very very complicated. I know this from experience.

my two cents... I hope this makes sence.
-Geoff Kuchera

RFC1918 has almost universal effective use.

[Bob_Robertson]

I've been doing this WAN/LAN thing since 1982. Ever IP shop save one that I have worked in has used RFP1918 addresses.

I cannot think of a situation, even a single end-point PC, that would not benefit from intellegent and thoughtful use of RFC1918, and even that single PC, if it offers no externally accesses services, has no need for a globally routed IP address of its own.

For all its faults, AOLs use of externally invisible addresses has meant 33 million surfing consumers without wasting routable IP addresses. The masses are (comparitively) secure from DOS and crack attacks, and the technically astute ones can still get little patches that let IP native software on their AOL attached machine work fine.

Even the Mom&Pop dial-up ISP customer, or DSL or Cable subscribers can benefit by only paying for globally routable addresses if/when they want to offer services, or the service provider can simply not offer such routable addresses. The vast majority of home users won't notice the difference.

And anyone with an internal point to point circuit can use RFC1918, anyone who uses a "real" router to link to their ISP (that includes *nix running IPMasquerade) benefits by putting their internal office on RFC1918 address except those few machines that are offering services to the outside world. And if their business depends on it, why are they putting the server in their office anyway? That's what professional datacenters are for.

Of course it can cause problems if done randomly or without consideration that yes indeed this same "10.0.0.1" is used by thousands if not hundreds of thousands of other 'Nets around the world.

However, the benefits of implementing RFC1918 far outweigh the potential problems. At the absolute worst, two sites might have to use masquerade between them to hide the fact that years before they knew they would be working together, they both used 10.0.0.1. That's it, that is the one "danger", and it's little more than another option on the (hopefully used, like a condom) firewall that is also installed between the two offices.

Re-reading, this is in fact a "big picture" spewing on my part. I really wish the "doom and gloom" nay-sayers on both sides, the "We're Running Out Of Addresses" and "RFC1918 Use Is Dangerous" would take cold showers and relax.

Extensive use of RFC1918 is saving lots of money in those places like Asia where routable addresses cost a bundle, and putting off IPv6. Renumbering at some point is the greatest "danger" that any use of RFC1918 can cause, and not using it will require renumbering any time someone changes ISP's anyway. Such is not the case if you're already using unrouted addresses. Something to think about, with the merger/failure cycle in ISP's, ne?

So my advice, do RFC1918 where ever you can!

And for the "I'm Sid, so there" urge, the CCIE "certification" didn't exist yet at the time when I took all the Cisco classes. So There!

Bob-

Trace will show RFC1918 if YOUR ISP uses it...

[Bob_Robertson]

RFC1918 addresses will show up any time your ISP uses it.

RFC1918 source/destination packets are dropped at the *edge* routers, not "every" router. By edge I mean AS-Number borders, my experience is that anyone with the technical know-how and need for their own AS-number also usually knows to filter those packets to and from their BGP peers and default providers.

Yes, to and from. For laughs I used to put logging on the border routers, to catch packets to/from RFC1918 addresses, as well as BGP advertizements of RFC1918 address blocks. It was amazing the otherwise reputable ISP's and major companies who forgot to filter those things out! Lets just say that it was one reason for my buying my first AMD chip!

Bob-

This breaks path MTU discovery

http://www.google.com/search?q=rfc1918+pmtud

NANOG

[The+Madpostal+Worker]

This is a topic that has been flamed^H^H^H^H^H debated to death on the North American Network Operators Group(NANOG) Mailing List

Its a great list, and has a lot of very knowledgable people on it.

P-MTU Discovery...

...can be broken sometimes if you are using RFC1918 addresses on globally-connected networks. But a lot of people think it's pretty much broken anyway!

seen this before

[flipper28]

My cable modem uses this technique because I was able to ping one of their internal hosts (I'm not 100% sure why) before. Trace route shows the same as step 12

RFC1918 on Internet Routers == BAD BAD BAD

[marius]

This comes up on NANOG's mailing list about once a week. Search the archives.

The most important thing it breaks is PMTU discovery, which may cause stalls in your IP transmissions through that router.

... but leave out the zeros???

[Ocelot+Wreak]

I recall some Cisco guru saying something about not using .0 A and B address ranges (e.g., 10.0.0.nnn) for your network, as the .0's could cause routing problems sometimes. Anyone recall why the zeros were Bad and Wrong???

Re:... but leave out the zeros???

[nedron]

Part of the problem is that some devices assume that the '0' always refers to the network itself. Your biggest problem is generally caused by entering a network like 10.0.0.0/24. Some devices inexplicably ignore the netmask and assume you're referring to all the networks in 10.*, rather than just the single "class c" '10.0.0.*'.

Karma Envy?

[fm6]

Poor baby. Maybe if you wrote more carefully you'd get modded up too.

I keep getting flammed for saying that private networks are the solution to all your security woes. Which sort of bothers me, because I never said it. All I am saying is that private networks are more effective than firewalls, and less of a pain for your users.

I once worked at a company with a really extreme security policy. It was against the rules to leave your desk without logging out! (Widely ignored of course.) The company firewall was as restrictive as they get. You could use ports 80 and 23 and that was it. No secure sockets (so no ecommerce or banking from work), no Realaudio, nada.

And of course there was a shortage of IP numbers!

Now I work at a place where everybody's on a private net. No fireway to get in my way, no proxy to configure, and no shortage of IP numbers.

Static Nat

[eufaula]

I wont get into the pros/cons of using these addresses (as that is covered enough on the nanog.org list). but, you can statically nat the addresses so they are translated into a routeable address.

this is how you do it on a cisco on your WAN router. (assuming that you know to configure it):

ip nat inside source static 10.x.x.x 12.34.56.78

now you have a static where internally 10.x.x.x is the ip of the router, but the outside world can see it as 12.34.56.78

a quick google search brought up this -- http://www.cisco.com/warp/public/556/9.html

ICMP

[Zule_Boy]

Dont forget about ICMP messages (net unreach, etc...) from other routers you will no longer get. sometimes these are a good thing(tm)

One major real-world problem: IP range collisions.

[Nonesuch]

I have run into one major problem with using RFC-1918 addresses for internal hosts. Address space collisions. Not just duplicate IPs, but also overlapping netmasks.

When you use a random 10/8 subnet for some of your internal hosts, then your company buys/merges with/is acquired by another company that is using their own overlapping segment of RFC1918, somebody is going to be stuck with a major renumbering project or a really ugly NAT table.

I just got hit by this last fall. We bought a small company (500 employee), and needed to integrate them into the corporate WAN, but their production LAN with hardcoded IPs scattered all over 172.16.X.X, with everything on a flat /16 netmask (single broadcast domain).

Not fun. Ended up with a huge static NAT table condensing their hosts into a single Class-C of real routable space. Ugly and a pain to maintain.