Private Address Spaces

Hi all, just wondering what you companies out there use in the way of ip
address ranges? we use 98 and 222 ranges class A and class c ...but this
chap was saying about I really need to use either 10.0.0.0 or 172.16.0.0 or
192.168.0.0...

Just wondering what the score is really....is it illegal to use what ever we
like>?? or do we have to change to satisfy the rules!!

Andi

On Wed, 9 Jul 2003 14:08:33 +0100, Andrew <(E-Mail Removed)> wrote:
> Hi all, just wondering what you companies out there use in the way of ip
> address ranges? we use 98 and 222 ranges class A and class c ...but this
> chap was saying about I really need to use either 10.0.0.0 or 172.16.0.0 or
> 192.168.0.0...
>
> Just wondering what the score is really....is it illegal to use what ever we
> like>?? or do we have to change to satisfy the rules!!

I don't think it's illegal, but that doesn't mean that your ISP is going to
route it. Since they're not going to route it anyways, you might as well
use the unrouteable IP blocks and setup NAT on your gateway.

--
-- Skylar Thompson ((E-Mail Removed))
-- http://os2.dhs.org/~skylar/

In message <VnUOa.13510$(E-Mail Removed)>, Andrew
<(E-Mail Removed)> writes
>Hi all, just wondering what you companies out there use in the way of ip
>address ranges? we use 98 and 222 ranges class A and class c ...but this
>chap was saying about I really need to use either 10.0.0.0 or 172.16.0.0 or
>192.168.0.0...
>
>Just wondering what the score is really....is it illegal to use what ever we
>like>?? or do we have to change to satisfy the rules!!
>
It's not illegal to use anything you like but the three ranges you
mention have been set aside for private networks.

If your network connects to the internet, using anything outside these
ranges could mean there is more than one machine on the 'net with the
same IP address. The private IP addresses aren't transmitted over the
'net so by using them, you not only avoid possible clashes on the 'net,
you also improve your network's security. If your network isn't
connected to the internet, these considerations don't apply but, even
then, it's better to use the private IP addresses so you can easily
connect to the 'net some time in the future.
--
Mike

"Andrew" <(E-Mail Removed)> wrote in message
news:VnUOa.13510$(E-Mail Removed)...
> Hi all, just wondering what you companies out there use in the way of ip
> address ranges? we use 98 and 222 ranges class A and class c ...but this
> chap was saying about I really need to use either 10.0.0.0 or 172.16.0.0
or
> 192.168.0.0...
>
> Just wondering what the score is really....is it illegal to use what
ever we
> like>?? or do we have to change to satisfy the rules!!
>
> Andi
>
>

I have known plenty of companies who've attempted to use IP addresses
registered to another company (ahem, I like to refer to these IP's as
'pirated' IP's). They call to say that they can't figure out why they
can't connect to some obscure website or why someone at some other company
can't send them email. <grin>

The reason is they're using 'pirated' IP's! Let me explain.

Within a LAN, you're using 98.x.x.x with a 255.0.0.0 subnet mask and at
some point in time. An employee within the LAN launches their web
browser, types in www.yada.com and then attempts to visit the website.
What will happen is that the connection fails because the DNS A record
resolves to an IP (98.6.1.106) that's supposed to be within the same LAN!
The fact of the matter is that no one within the LAN will be able to
establish a connection to an IP that resolves back to the IP's being
'pirated'. This is the basics of IP routing!

Now I know what you're thinking. You're probably thinking to yourself
"Big deal. No one within the LAN will be able to go any IP address that
resolves back to the same range we're using. We can live with that."
Well, it's a bit more problematic than that.

Have you thought about the fact that you're blocking access to 16.5
million IP's? How about the fact that you'll be blocking access *from*
16.5 million IP's as well? Yes, I said 'from'. What do I mean? I mean
that if someone within the 'yada.com' domain wanted to send an email to
someone within your LAN of 'pirated' IP's. The inbound SMTP connection
would be blocked at the firewall providing the NAT. I say this because
most firewalls (if not all) will treat the incoming connection as a
'spoofing' attempt. IOW the source IP address of the incoming connection
represents an IP address that the firewall 'knows' to be on the internal,
protected side.

So what's the easiest method to fix this nightmare? Simple. Just change
the first octet of the 98.x.x.x IP address to '10'. That's it! In doing
this, you've just changed to one of the IP ranges ('10.x.x.x') allocated
in RFC1918 (see note below) for use with NAT. Granted there may be a need
to run around and change some servers, but this is truly the only way to
resolve the issue.

In closing, I will acknowledge that I may have used what appears to some
as an extreme example, but it's a legitimate example I've encountered more
than once.


Note: You should be using IP addresses from any of the following:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

For additional information please refer to RFC-1918
(http://www.faqs.org/rfcs/rfc1918.html)

--
Best regards,
Don Kelloway
Commodon Communications

Visit http://www.commodon.com to learn about the "Threats to Your Security
on the Internet".

Nice one chaps...thanks for the info!!

hmmmmm ive had already made up a 192.168...I think I will use a ten address
too!!

Cheers

Andi


"Andrew" <(E-Mail Removed)> wrote in message
news:VnUOa.13510$(E-Mail Removed)...
> Hi all, just wondering what you companies out there use in the way of ip
> address ranges? we use 98 and 222 ranges class A and class c ...but this
> chap was saying about I really need to use either 10.0.0.0 or 172.16.0.0
or
> 192.168.0.0...
>
> Just wondering what the score is really....is it illegal to use what ever
we
> like>?? or do we have to change to satisfy the rules!!
>
> Andi
>
>

On Wed, 9 Jul 2003 14:06:01 UTC, "Don Kelloway" <(E-Mail Removed)> wrote:

> I have known plenty of companies who've attempted to use IP addresses
> registered to another company (ahem, I like to refer to these IP's as
> 'pirated' IP's). They call to say that they can't figure out why they
> can't connect to some obscure website or why someone at some other company
> can't send them email. <grin>
>
> The reason is they're using 'pirated' IP's! Let me explain.
>

aren't they insane for opening their internal lan to the internet or am I
insane???

....eric

On Wed, 09 Jul 2003 20:11:29 GMT, "eric w" <(E-Mail Removed)> wrote:

>On Wed, 9 Jul 2003 14:06:01 UTC, "Don Kelloway" <(E-Mail Removed)> wrote:
>
>> I have known plenty of companies who've attempted to use IP addresses
>> registered to another company (ahem, I like to refer to these IP's as
>> 'pirated' IP's). They call to say that they can't figure out why they
>> can't connect to some obscure website or why someone at some other company
>> can't send them email. <grin>
>>
>> The reason is they're using 'pirated' IP's! Let me explain.
>>
>
>aren't they insane for opening their internal lan to the internet or am I
>insane???
>
>...eric

Yup and they are really naughty boys! I found one of my clients using
an IP block allocated to Sun. They were told to do it by a 'know it
all'


--
Jim Watt http://www.gibnet.com

Andrew wrote:

> Hi all, just wondering what you companies out there use in the way of ip
> address ranges? we use 98 and 222 ranges class A and class c ...but this
> chap was saying about I really need to use either 10.0.0.0 or 172.16.0.0
> or 192.168.0.0...
>
> Just wondering what the score is really....is it illegal to use what ever
> we like>?? or do we have to change to satisfy the rules!!

Look up RFC 1918. It lists the 3 available address ranges and the reasons
for use. If you use addresses that are not on that list, you'll have to
make sure your router does not pass them to the internet and you'll be out
of luck, if you ever need to connect to the real address.

Change them to one of the RFC ranges and you'll be a lot happier.

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.

On Wed, 9 Jul 2003, Jim Watt wrote:

> On Wed, 09 Jul 2003 20:11:29 GMT, "eric w" <(E-Mail Removed)> wrote:
>
> >On Wed, 9 Jul 2003 14:06:01 UTC, "Don Kelloway" <(E-Mail Removed)> wrote:
> >
> >> I have known plenty of companies who've attempted to use IP addresses
> >> registered to another company (ahem, I like to refer to these IP's as
> >> 'pirated' IP's). They call to say that they can't figure out why they
> >> can't connect to some obscure website or why someone at some other company
> >> can't send them email. <grin>
> >>
> >> The reason is they're using 'pirated' IP's! Let me explain.
> >>
> >
> >aren't they insane for opening their internal lan to the internet or am I
> >insane???
> >
> >...eric
>
> Yup and they are really naughty boys! I found one of my clients using
> an IP block allocated to Sun. They were told to do it by a 'know it
> all'

IIRC, Sun shipped early systems configured that way, or they trained
people to do it that way.. or something that actually tracks back to Sun.
I assume it was somewhere in the 192.9.0.0 to 192.9.255.255 range?

Interestingly, Sun seems to have almost all of the above range EXCEPT for
192.9.200.0 to 192.9.200.255 and 192.9.255.0 to 192.9.255.255

On Wed, 9 Jul 2003, eric w wrote:

> On Wed, 9 Jul 2003 14:06:01 UTC, "Don Kelloway" <(E-Mail Removed)> wrote:
>
> > I have known plenty of companies who've attempted to use IP addresses
> > registered to another company (ahem, I like to refer to these IP's as
> > 'pirated' IP's). They call to say that they can't figure out why they
> > can't connect to some obscure website or why someone at some other company
> > can't send them email. <grin>
> >
> > The reason is they're using 'pirated' IP's! Let me explain.
> >
>
> aren't they insane for opening their internal lan to the internet or am I
> insane???

If the machines using those IP addresses are behind an effective stateful
firewall, then they are pretty secure. In fact, that is the way the
Internet was *supposed* to work and it is possible everyone will revert to
using real IP addresses when IPv6 is in widespread use.

The presence of NAT routers means that the security of some protocols has
been compromised in order that people can use those protocols from behind
NAT routers. It's very difficult to ensure end-to-end security if there
is a router that is re-writing packets in between the endpoints.