nanog mailing list archives
Re: Arguing against using public IP space
From: Jay Hennigan <jay () west net>
Date: Sun, 13 Nov 2011 15:51:13 -0800
On 11/13/11 7:36 AM, Jason Lewis wrote:
I don't want to start a flame war, but this article seems flawed to me. It seems an IP is an IP. http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-use-public-routable-ip-addresses-by-default.html I think I could announce private IP space, so doesn't that make this argument invalid?
You could announce it. I wouldn't expect anyone else to listen to those announcements other than for the purpose of ridiculing you.
I've always looked at private IP space as more of a resource and management choice and not a security feature.
It depends.Case 1: If the SCADA vendors are configuring units with non-RFC1918 IP space in live customer installations, and these installations aren't ever in any way connected to the public Internet, then there isn't any real operational problem. It smacks of carelessness/cluelessness on the part of both the vendor and the IT staff of the customer who accepted the configuration, but nothing is operationally broken.
Case 2: Same as above, but the SCADA network is connected to the Internet behind a NAT at the customer location. Again careless and clueless. And should anything on that network need to access resources on the Internet within the space configured on the SCADA system it won't work. The vendor/customer have broken reachability to some part of the public Internet for that system. Whether there is a security risk depends on the configuration of the NAT firewall and whether and how how the SCADA system opens connections outbound and what vulnerabilities exist in its systems if it does. No more security risk than the same situation using RFC1918 space.
Case 3: Same as case 2 but without the NAT. Pretty much the same result. The SCADA system won't be reachable from the outside because the customer's provider won't route those addresses to the customer. Packets sourced to the Internet from the SCADA aren't likely to get very far. Even more broken/stupid than the other scenarios but not likely to be much of a security risk in terms of exposure to the Internet.
Case 4: SCADA vendor asks customer for a subnet of public IP space allocated to the customer and installs the SCADA system directly on the Internet. From an RFC standpoint, nothing is broken. From a security standpoint, without appropriate firewalls, a very bad idea.
So, yes, it's a dumb idea. The degree of dumbness depends. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay () impulse net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
Current thread:
- Re: Arguing against using public IP space, (continued)
- Re: Arguing against using public IP space Jay Ashworth (Nov 13)
- Re: Arguing against using public IP space Joe Greco (Nov 13)
- Re: Arguing against using public IP space Joel jaeggli (Nov 13)
- Re: Arguing against using public IP space Joe Greco (Nov 14)
- Re: Arguing against using public IP space Dobbins, Roland (Nov 13)
- Re: Arguing against using public IP space Joe Greco (Nov 14)
- Re: Arguing against using public IP space Valdis . Kletnieks (Nov 13)
- Re: Arguing against using public IP space Jason Lewis (Nov 13)