nanog mailing list archives

Re: Arguing against using public IP space

From: Michael Sinatra <michael () rancid berkeley edu>
Date: Tue, 15 Nov 2011 11:27:58 -0800

On 11/13/11 07:36, Jason Lewis wrote:

I don't want to start a flame war, but this article seems flawed to
me.  It seems an IP is an IP.

http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-use-public-routable-ip-addresses-by-default.html

I think I could announce private IP space, so doesn't that make this
argument invalid?  I've always looked at private IP space as more of a
resource and management choice and not a security feature.

Really, the article doesn't make much sense. The claim is that SCADAsystems come with "public IP addresses by default" and that SCADAengineers are too ignorant of Internet security practices to know tore-configure them. First, the ignorance factor goes right back to thetwo axioms I mentioned in my reply to Bill. If you aren't payingattention, then you don't have security, regardless of which IP addressspace you use.

Second, there's the point that the SCADA systems come with public IPaddresses by default. So what? The article incorrectly confuses"public" IP addresses with "routable" IP addresses. As an example, whenI worked in the College of Chemistry at UC Berkeley, there was a labwith NMR machines that all came with public IP addresses bydefault--those of the manufacturer. Of course, since the manufacturerwas in Germany, and we were in the US those IP addresses weren'troutable in our network. Are SCADA systems similarly configured? Thearticle doesn't say if the manufacturers pre-configure addresses withinthe client's IP blocks or their own, or even 1.2.3.0/24.

If the manufacturer went to the trouble of configuring the system onroutable IP addresses, then the SCADA engineer can easily specify whichset of addresses. If the manufacturer really does configure "public" IPaddresses "by default" then it's unlikely that those "public" IPaddresses are actually _routable_ on the network which is using theSCADA system.

Oh, and the article treats RFC1918 and RFC4193 is equivalent, which isWRONG WRONG WRONG!


michael

Current thread:

Re: Arguing against using public IP space, (continued)
- - - Re: Arguing against using public IP space Dobbins, Roland (Nov 13)
    - Re: Arguing against using public IP space Joe Greco (Nov 14)
    - Re: Arguing against using public IP space Valdis . Kletnieks (Nov 13)
- Re: Arguing against using public IP space David Walker (Nov 13)
- Re: Arguing against using public IP space Leigh Porter (Nov 13)
- Re: Arguing against using public IP space McCall, Gabriel (Nov 13)
- Re: Arguing against using public IP space Jay Hennigan (Nov 13)
  - Re: Arguing against using public IP space Jason Lewis (Nov 13)
- Re: Arguing against using public IP space Owen DeLong (Nov 13)
- Re: Arguing against using public IP space Ray Soucy (Nov 14)
- Re: Arguing against using public IP space Michael Sinatra (Nov 15)
- Re: Arguing against using public IP space Jay Hennigan (Nov 13)
- Re: Arguing against using public IP space Eric C. Miller (Nov 16)