Using RFC 1918 IP Addresses on Internal Routers?

braek asks: "Our network has expanded to the point that I have about 6 separate network links to remote networks. I would like to avoid using public IP addresses for the routers to conserve my limited global IP addresses, and I don't expect any additional IP's for a while. :( What do you guys think about assigning internal routers a private, RFC 1918 IP address, like 10.0.0.1 or something? (For security, RFC 1918 addressess would be filtered at the border routers.)"

"I am testing this right now, and routing seems to work fine, the only problem I can think of, is when someone does a traceroute, it will show up like:

10   120 ms   131 ms   120 ms  152.63.67.97
11   130 ms   130 ms   131 ms  66.141.21.1
12     *        *        *     Request timed out.
13   130 ms   130 ms   140 ms  66.141.21.185

Hop 12 is the router with the private RFC 1918 address, and I am assuming it is not responding to a traceroute because the IP is not globally routable. However, all the clients behind the router have complete, unabashed network access. What problems may one encounter if implementing this kind of addressing scheme?"

Re:Only one issue

[anticypher]

I see at least one 10/8 network:
2 10.55.160.1 11.023 ms

Nope. It looks like a 10.55.160.1/30 point to point link between the uBR headend router for your neighborhood and the core routers in Cincinnati. Since the uBR is only collecting traffic and passing it on to the core, it never needs a routable interface, hence RR is doing a technically valid thing.

There is nothing wrong with using an RFC 1918 address for internal links. Many ISPs use them for point to point links to conserve IP use. So what if RR is using a 10 address on one of their internal links? Your packets are still being routed, your traceroute got to /., and you were able to post wrong information :-)

Its not the wrong thing to conserve IPv4 address. Its good practice, every one should be doing it.

Routers should respond to all valid IP addresses, even RFC1918 addresses. What shouldn't be done is to route those packets to the internet. If your border routers are participating in BGP4, then they should be dropping any packets with source or destination matching RFC1918, and should ignore (filter) any route to an RFC1918 net. There are lots of badly configured border routers out there spewing route advertisements for private network ranges, just learn to filter them out, and make sure you filter your own out.

the AC

Re:Can and Must

[ryanmoffett]

Not quite. Let's say you compromise a host on the 10/8 network. If it attempts to make an outbound TCP connection to an IRC server, the IRC server will not be able to respond back to the 10/8 host because RFC1918 routes are going to be filtered at some point back to the client and the TCP 3-way handshake won't even complete. UDP attacks in one direction from the client to the public would be possible, but the RFC1918 source address would most likely be caught by an ingress filter at the remote end.

Now, most likely, that 10/8 host gets NAT'd to a public address through a firewall. In this case, the IRC scenario is not only possible, but a real tactic used to get past firewalls. Some, firewalls such as the Cisco PIX make it easy to not care about your outbound traffic, so a client making outbound connections to IRC servers isn't necessary going to even be noticed. This is why you have to implement egress filtering on your firewalls and/or routers to block what your users have access to should they ever get trojaned.

Hmm..

[_ganja_]

There isn't really a problem with what you are doing, the only thing I don't really like about doing this is the management aspects when the implimentation gets a little large. More on that in a bit but first, technically, the golden rule here is as long as these addresses are of course unique and stay in your own AS you'd be fine, I'd personally go one further and would keep them only in your IGP just to be safe in case someone screws your bgp filters etc.

I'm a CCIE and been networking 11 years now, 6 with Cisco and I'd only do this is if I really had too and here's why: management of address space. I'm sure (hope) your management of all your public address space is organised and clear. Furthermore nobody would dream of adding a box to the network with a public address without asking you or another admin who would assign one, which case you would go to your speadsheet (or QIP / another tool), allocate one and record the details. With private address space people tend to just add boxes and subnets and pick an address from random out of the air. This is where time consuming issues come about with overlapping address space. If your network is going to stay small and you have full control over all the addresses then you shouldn't have much of a problem but if the network is going to grow a larger, think about the extra admin you might have to do and also if you were to be hit by a bus would the next guy understand it.

You have some cisco semi-hacks to help you out also such as unnumbered links and also note /31 subnets are available in newer IOS revisions. At the end of the day I don't know how large you're network and it's exact design, its your choice at the end of the day, just make sure it won't bite you in the ass in the future.