nanog mailing list archives
Re: DoD IP Space
From: Sabri Berisha <sabri () cluecentral net>
Date: Wed, 20 Jan 2021 12:16:26 -0800 (PST)
----- On Jan 20, 2021, at 6:58 AM, j k <jsklein () gmail com> wrote: Hi,
My question becomes, what level of risk are these companies taking on by using the DoD ranges on their internal networks? And have they quantified the costs of this outage against moving to IPv6?
Not so long ago, while working for a large enterprise, my team was considering the use of non-advertised public IP space when we realized we were close to running out of RFC1918 space. Eventually we decided against it as we had enough options to reclaim unused RFC1918 from within the company. However, we had a number of arguments against the use of public ranges: - The risk of owners deciding to advertise their space. If so, since we operated a popular ecommerce site, there would be a huge risk of users encountering issues. - The risk of inadvertent security issues. People using RFC1918 space, even the most network-illiterate dev, know that RFC1918 space is not accessible from the big bad internet. This (perceived) safety is absent when using public IP space. - The risk of misconfiguring firewalls. Obviously, most of the policies cover RFC1918 space. Introducing non-RFC1918 space encourages human error. - The risk of looking like fools if we would accidentally leak. Let's be honest. There are two groups of people on this list. Those who have accidentally leaked and those who will. I learned from my mistake(s). As for IPv6: I know I sound like a broken record but one does not simply walk into Mordor and migrate to IPv6. In a large enterprise, especially with one using a lot of old code to support a highly popular webapp, it is easier to move a mountain than it is to get all nosed aligned. The network group(s), corp, lab, DC, backbone, may all be ready, but that does not mean that your cloud, kubernetes, frontend, backend, operations, and billing groups are ready. Migrating to IPv6 is a cost, as there is no ROI. It is a cost center, not an investment. Surely, we all on this list know that it is a mandatory expense to ensure future delivery of services, but explain that to a VP with limited budgets. Are they going for the short term win of new features, or for the long term "win" of retaining revenue? We all know what their bonuses are based on. And don't get me wrong. I'm not advocating against v6. I'm merely explaining how difficult it can be to migrate. In most large companies, the network is like PG&E (the power utility California). If it works, nobody says well done. But if the power is out, everyone gets angry and asks why we have fools operating the power grid. Thanks, Sabri
Current thread:
- Re: DoD IP Space, (continued)
- Re: DoD IP Space Randy Bush (Jan 21)
- Re: DoD IP Space Doug Barton (Jan 22)
- Re: DoD IP Space Dorn Hetzel (Jan 20)
- Re: DoD IP Space Bryan Fields (Jan 20)
- Re: DoD IP Space John Curran (Jan 20)
- Re: DoD IP Space Brandon Martin (Jan 20)
- Re: DoD IP Space John Curran (Jan 20)
- Re: DoD IP Space Eric Kuhnke (Jan 20)
- Re: DoD IP Space Bryan Fields (Jan 20)
- Re: DoD IP Space Eric Kuhnke (Jan 20)
- Re: DoD IP Space Sabri Berisha (Jan 20)
- Re: DoD IP Space Owen DeLong (Jan 20)
- Re: DoD IP Space borg (Jan 21)
- Re: DoD IP Space Clayton Zekelman (Jan 22)
- Re: DoD IP Space Izaac (Jan 22)