2 IP Address Questions

new2net wrote: »

Hey I have 2 IP Address Questions:

(1) I just noticed my ISP assigned my Linksys home router a 255.255.254.0 maks with a Class A address. I am on cable. Does this mean that there are 510 other hosts on my network? I can't see the logic behind this...

The hosts aren't really on your network. The cable ISP's CMTS is using proxy arp in order for you to access any other host on that subnet.

new2net wrote: »

(2) If a company buys a Class B Address from an ISP, such as 130.10.0.0/16. That means the company has that address to use internally. So at the company's site, the Fa0 interface of the router would be 130.10.0.1, and all the hosts would be assigned accordingly. But what address would sit between the ISP and the company? Would it have to come from the 130.10.0.0 block? I think this might relate to VLSM somehow...

Thank you in advance.

Usually if you are assigned a Class B you would be subnetting it accordingly. The IP address on the router's external interface and the ISP's edge router is usually from a /30 subnet which allows 2 IP addresses and it would be a different network address.

Example:

ISP Router (192.168.5.1/30) <---> Your Router's F0/1 (192.168.5.2/30) --- Your Router's F0/0 (130.10.1.1/24) (If you subnet)

Then your ISP would route the 130.10.0.0/16 network to 192.168.5.2

new2net

tim100 wrote: »

ISP Router (192.168.5.1/30) <---> Your Router's F0/1 (192.168.5.2/30) --- Your Router's F0/0 (130.10.1.1/24) (If you subnet)

Then your ISP would route the 130.10.0.0/16 network to 192.168.5.2

Thank you...so they will actually use a private IP (between the ISP and your router)?

new2net wrote: »

Thank you...so they will actually use a private IP (between the ISP and your router)?

That was just an example. It wouldn't be from the private IP address space.

tim100 wrote: »

That was just an example. It wouldn't be from the private IP address space.

That's not necessarily true. I know for a fact that there are live implementations in the colo world where the colo provider just drops the wire in the customers cabinet, the customer hooks it up to their router, and the /30 between the two links is an RFC1918 address

Our provider at work is another county agency. All of the "external addresses" are RFC 1918 addresses of the same subnet. Semantics basically though, as regardless, 1918 addresses arent in the internet route table. So it doesnt matter, at some point, there has to be a corresponding globally unique address.

Basically you would only BUY addresses that are external for external use. If you needed a class B range you would subnet the private range you want to use to fit your needs. For example, the 10.0.0.0 network supports up to 16,777,216 hosts theoretically. Internally, the RFC 1918 addresses would suffice. You would only need global addresses when the device needs to be directly accessed by the outside world, and even then, NAT/PAT could be used.

There would really be no need for any company to buy a class b range, unless you were a smaller ISP that is selling the addresses. Any other reason would be unwise, as using public addresses for desktops would put them into the internet routing table, which would allow them to be accesses externally possibly. Bad idea, needless costs, all things that business should typically let happen lol.

ColbyG

SysAdmin4066 wrote: »

There would really be no need for any company to buy a class b range, unless you were a smaller ISP that is selling the addresses. Any other reason would be unwise, as using public addresses for desktops would put them into the internet routing table, which would allow them to be accesses externally possibly. Bad idea, needless costs, all things that business should typically let happen lol.

My company owns a few /22s of public space. We use it internally, it is not routed on the internet. A lot of older, large companies bought space way back and use it internally, and they don't route it on the internet. So what you're saying isn't necessarily true.

SysAdmin4066 wrote: »

Our provider at work is another county agency. All of the "external addresses" are RFC 1918 addresses of the same subnet. Semantics basically though, as regardless, 1918 addresses arent in the internet route table. So it doesnt matter, at some point, there has to be a corresponding globally unique address.

Basically you would only BUY addresses that are external for external use. If you needed a class B range you would subnet the private range you want to use to fit your needs. For example, the 10.0.0.0 network supports up to 16,777,216 hosts theoretically. Internally, the RFC 1918 addresses would suffice. You would only need global addresses when the device needs to be directly accessed by the outside world, and even then, NAT/PAT could be used.

There would really be no need for any company to buy a class b range, unless you were a smaller ISP that is selling the addresses. Any other reason would be unwise, as using public addresses for desktops would put them into the internet routing table, which would allow them to be accesses externally possibly. Bad idea, needless costs, all things that business should typically let happen lol.

Once the traffic makes it inside your AS, it's fine to use RFC1918 space for your internal routing links, the requesting system doesn't care about any of that. If you're at 1.1.1.1 and trying to reach 2.2.2.2, and there's some 10 net links in between in my network, your end doesn't care - my internal routers know how to reach 2.2.2.2, and how to return that traffic to 1.1.1.1, so it's all good.

As far as not putting things like desktops on public IP's.... hogwash. You seem to be implying that NAT provides some sort of security. It doesn't. Being on a public IP does not inherently place you in more danger. NAT'd machines still need things like anti-virus, malware scanners, and a firewall, either based on the host, or somewhere on the network in front of them. NAT is a hack, and while it does break direct connectivity (which has other annoying implications), just because I can't directly initiate a connection to your machine doesn't mean I can't exploit it. NAT does give you some degree of protection from having your network enumerated, but it's primary use is to extend the life of the ip4 address space. And I'm of the opinion that's maybe not such a good thing.

kalebksp

Forsaken_GA wrote: »

As far as not putting things like desktops on public IP's.... hogwash. You seem to be implying that NAT provides some sort of security. It doesn't. Being on a public IP does not inherently place you in more danger. NAT'd machines still need things like anti-virus, malware scanners, and a firewall, either based on the host, or somewhere on the network in front of them. NAT is a hack, and while it does break direct connectivity (which has other annoying implications), just because I can't directly initiate a connection to your machine doesn't mean I can't exploit it. NAT does give you some degree of protection from having your network enumerated, but it's primary use is to extend the life of the ip4 address space. And I'm of the opinion that's maybe not such a good thing.

I agree, just about every computer and device at my work has a publicly routable address. We have firewalls to keep them protected. I look forward to the day when IPv6 is widely adopted and we won't have to screw with NAT anymore.

Just because your company doesnt route the addresses on the internet, doesnt mean the address space is not routable. The benefit of private addressing is that its not POSSIBLE to route on the internet. No way, cant be done, not in the internet routing table as designed. So you dont have to worry about it. If I were building a network, I would never, ever, ever, ever use private addresses internal. I would always use the private RFC 1918 address space internally and use the public addresses for NAT purposes only.

There are plenty of things my company does that it shouldnt or that it does because it had to, not because it was following best practice. In a perfect world, what I'm saying is that private addressing should be used for the internal addresses unless some reason or purpose compels the use of public addresses.

What reason does your company use public addresses internally? Everything I said was true, even if it doesnt fit every situation. That is in fact, a network design best practice. A rather simple concept actually.

So what do you do if you change ISPs? Do you change your entire internal addressing? Or are you guys talking about using public addresses you dont actually own?

Here's the scoop;

"Although NAT routers are not generally purchased for their security benefits, NAT routers CAN inherently function as very effective hardware firewalls. As a hardware firewall they prevent "unsolicited", unexpected, unwanted, and potentially annoying or dangerous traffic from the public Internet from passing through the router and entering the user's private LAN network."

"With multiple "internal" computers on the LAN behind the router, the router must know which internal computer should receive each incoming packet of data. Since ALL incoming packets of data have the same IP address (the single IP address of the router), the only way the router knows which computer should receive the incoming packet is if one of the internal computers on the private LAN FIRST sent data packets out to the source of the returning packets."

I suppose if you also use NAT with your internal public addresses, you would reap the same benefits, but the problem of having to change addresses if you change ISPs is still there. That is unless you are using public addresses you dont actually own. Which in that case, why use public addressing at all? Can someone enlighten me on what the benefits of using public addressing internally are?

Security is a layered approach. There is no silver bullet that is a one app protection suite. You will have to install antivirus with a firewall system installed. Does that mean a firewall doesnt add any security? That argument doesnt make sense. Just because one thing doesnt completely protect you from every single threat, doesnt mean you should abandon it. NAT does apply some inherent security to your network.

kalebksp

SysAdmin4066 wrote: »

So what do you do if you change ISPs? Do you change your entire internal addressing? Or are you guys talking about using public addresses you dont actually own?

Here's the scoop;

Although NAT routers are not generally purchased for their security benefits, NAT routers CAN inherently function as very effective hardware firewalls. As a hardware firewall they prevent "unsolicited", unexpected, unwanted, and potentially annoying or dangerous traffic from the public Internet from passing through the router and entering the user's private LAN network.

With multiple "internal" computers on the LAN behind the router, the router must know which internal computer should receive each incoming packet of data. Since ALL incoming packets of data have the same IP address (the single IP address of the router), the only way the router knows which computer should receive the incoming packet is if one of the internal computers on the private LAN FIRST sent data packets out to the source of the returning packets.

I suppose if you also use NAT with your internal public addresses, you would reap the same benefits, but the problem of having to change addresses if you change ISPs is still there. That is unless you are using public addresses you dont actually own. Which in that case, why use public addressing at all? Can someone enlighten me on what the benefits of using public addressing internally are?

I'm really hoping that you are Steve Gibson, otherwise you just plagiarized that off GRC. I'm not going to continue a conversation with someone that passes off other peoples words as their own.

Why assume I meant to pass someone elses words off? I wanted to make a point with someone elses words, which is why I searched out the article. I forgot to put the quotes in the correct places after I edited and added the quotes.

At any rate, that's the best practice operation I described in my own words earlier. Please explain why you would use public addresses, i'm always up to learn something new. After 10 years in the field, I've never seen it done any other way.

ColbyG

SysAdmin4066 wrote: »

So what do you do if you change ISPs? Do you change your entire internal addressing?

I don't think you're understanding me. My company owns this space, it has nothing to do with our ISP, it is ours.

We use it because we have it. I have no say in the matter, this is how it has been for decades. And, I don't know what you mean by "just because your company doesnt route the addresses on the internet, doesnt mean the address space is not routable". It is, by definition, routable space, but it is not routed on the internet. Even if it somehow got into a BGP table and propagated throughout the internet it would not affect us, but that should never happen.

SysAdmin4066 wrote: »

So what do you do if you change ISPs? Do you change your entire internal addressing? Or are you guys talking about using public addresses you dont actually own?

My IP allocations are from ARIN. A change of provider simply means a reconfigure of BGP and that my routes are now announced and propagated from a different provider, that's it. If I actually needed to change IP blocks, then the network gear would need to be renumbered, and probably a few servers. The desktops and the like would take care of themselves via DHCP.

Although NAT routers are not generally purchased for their security benefits, NAT routers CAN inherently function as very effective hardware firewalls. As a hardware firewall they prevent "unsolicited", unexpected, unwanted, and potentially annoying or dangerous traffic from the public Internet from passing through the router and entering the user's private LAN network.

It doesn't prevent traffic in any way shape or form, it just prevents it from hitting the device directly. This is not a benefit of NAT inherently, a network firewall would do exactly the same type of interdiction. A host based firewall means the end node would receive the packet, but it would drop the packet as it traveled up the stack, preventing it from being processed by the application it was destined for, so the same results are achieved, it just adds a little bit of processing to the host. NAT does not equal firewall. The fact that NAT routers also perform some basic firewalling is irrelevant - you're going to be doing some sort of firewalling regardless, unless you want your end nodes to get pwned.

With multiple "internal" computers on the LAN behind the router, the router must know which internal computer should receive each incoming packet of data. Since ALL incoming packets of data have the same IP address (the single IP address of the router), the only way the router knows which computer should receive the incoming packet is if one of the internal computers on the private LAN FIRST sent data packets out to the source of the returning packets.

Only if you're using overloading (PAT). Static NAT implementations have no such requirement.

Again, NAT is a hack. It serves two primary purposes - to extend the life of the ip4 address space. It also allows interoperability between two networks which need to communicate, but may also be using the same RFC1918 address space (and this is, in my opinion, the only real value NAT has). It is not a security feature.

Ok, with static one to one NAT, no, there is no requirement of keeping track of the connection. I am talking about one to many NAT implementations.

And my argument about costs is also valid. Why purchase address space, when you dont have to? What is the benefit of not using NAT and just using public addressing?

You're getting your layer3 and layer4 confused.

With PAT, the destination IP is always the same, the router performing nat then looks at the port numbers to decide where to spend the traffic. It's the only way to do it.

If I configure static nat, ie, if i tell the NAT router that all traffic destined for 1.1.1.4 should be sent to 192.168.1.3, then that's what it does, it never has to look at the port numbers, as I've explicitly told it that all traffic for a certain IP address should be translated to another IP address.

The NAT router changes the destination IP for incoming traffic to the address on the inside of the NAT. It doesn't touch the source IP address. When the end node receives it, and responds to it, it sets the source IP to it's address, and the destination IP to the address that it's replying to. So the NAT router gets it, sees it's from 192.168.1.3, destined for the outside world, and changes the source IP to 1.1.1.4, leaving the destination IP alone and then forwards it on through whatever method is best (route in the routing table, default route, etc etc). And so the cycle goes. Static NAT only really manipulates the destination IP in the header for inbound traffic, and the source IP in the header for outbound traffic.

SysAdmin4066 wrote: »

And my argument about costs is also valid. Why purchase address space, when you dont have to? What is the benefit of not using NAT and just using public addressing?

You've already hit on one of the reasons I would purchase public space - renumbering is a pain in the ass. If I own the space, then I never need to change my IP's if I decide to move providers.

The internet was designed around the concept of direct connectivity. Several things break when you can't talk to the end node directly. NAT causes all kinds of hassles with VPN, as a good example. You can make it work, but it takes more hacks and work arounds. Then there's the problem of increased complexity, additional administrative overhead, additional resource consumption on your network gear, the addition of another point of failure, and so on.

Why purchase an address space when you can use private addressing internally? Give me a scenario of what your company does with public addressing so that I better understand.

SysAdmin4066 wrote: »

Why purchase an address space when you can use private addressing internally? Give me a scenario of what your company does with public addressing so that I better understand.

I don't think my company would appreciate it very much if I revealed details about the guts of our network on a public forum, so this is a request I'll decline. You'll have to do your own research.

ColbyG

SysAdmin4066 wrote: »

Why purchase an address space when you can use private addressing internally? Give me a scenario of what your company does with public addressing so that I better understand.

My company purchased the space at the beginning of the interwebs, because they could. They also inherited a lot of space through purchases of other companies.

I can't tell you why they use public space internally, I assume they do it because they can. They could be using private space, but they aren't, they don't have to.

This really isn't that big of a deal, other large companies do it too. My only point was that your statements weren't true of every company.

Forsaken_GA wrote: »

I don't think my company would appreciate it very much if I revealed details about the guts of our network on a public forum, so this is a request I'll decline. You'll have to do your own research.

Obviously without the specific information. You still havent told me WHY you would buy all public IP addressing. Seems grossly unneccessary, regardless of there being no benefit to NAT as you say. So, I'm trying to understand why you would do this, what the benefit of this would be? And if you were a consultant building this same network from scratch, would you have done the same thing?

So Tim, in your opinion, or in practice, do you use public addressing schemes internally when building from scratch? What benefits do you see from using public addressing if so? No one can really tell me any benefits besides things "break" when devices cant talk directly, which I have not experienced with NAT devices. So I have no real frame of reference for what is being said.

Forsaken_GA wrote: »

That's not necessarily true. I know for a fact that there are live implementations in the colo world where the colo provider just drops the wire in the customers cabinet, the customer hooks it up to their router, and the /30 between the two links is an RFC1918 address

This is true but it is not common practice. If there will never be a VPN connection to that edge router or if you do not ever need to access the router from remote via SSH for management then yes you could use RFC1918 addressing.

Forsaken_GA wrote: »

Once the traffic makes it inside your AS, it's fine to use RFC1918 space for your internal routing links, the requesting system doesn't care about any of that. If you're at 1.1.1.1 and trying to reach 2.2.2.2, and there's some 10 net links in between in my network, your end doesn't care - my internal routers know how to reach 2.2.2.2, and how to return that traffic to 1.1.1.1, so it's all good

This is also true. Router to router links within an AS will usually use RFC1918 addressing. If you do a traceroute from one endpoint to another you will sometimes see RFC1918 addresses somewhere in between.

SysAdmin4066 wrote: »

Obviously without the specific information. You still havent told me WHY you would buy all public IP addressing. Seems grossly unneccessary, regardless of there being no benefit to NAT as you say. So, I'm trying to understand why you would do this, what the benefit of this would be? And if you were a consultant building this same network from scratch, would you have done the same thing?

That's not a simple question. It all depends on what the purpose of the network is. I personally will use public addressing (with a mix of private addressing where appropriate, and NAT is not needed) whenever possible. I will avoid NAT unless it is absolutely needed (ie, I need to bridge two networks that share a common IP space, or I do not have enough public IP's available to cover the number of hosts that need to be able to communicate over the public internet). Having dominion over my own IP space allows me to address how I wish without being at the mercy of a provider. And since I will always multi-home with different providers whenever I can, it gives me the ability to control how traffic flows into and out of (and possibly through, if appropriate) my network.

Don't take this the wrong way, but these are not things I should have to explain to someone who's passed the exams you're listing.

tim100 wrote: »

This is true but it is not common practice. If there will never be a VPN connection to that edge router or if you do not ever need to access the router from remote via SSH for management then yes you could use RFC1918 addressing.

In the particular case I'm thinking of, the customer had their own /24, which the colo provider was announcing for them. Then the colo provider just routed the /24 over the privately addressed /30. The customer could ssh into their router by using their /24's gateway IP as the destination. As a rule, they didn't, since they didn't want the router directly accessible, instead they would ssh into a server behind their router, and then use that server to access the router. Likewise, their VPN server was behind the router.

SysAdmin4066 wrote: »

So Tim, in your opinion, or in practice, do you use public addressing schemes internally when building from scratch?

No. I see no reason to waste routable address space.

SysAdmin4066 wrote: »

What benefits do you see from using public addressing if so?

None really. But of course there are autonomous systems that are using public addresses though. Alot of these autonomous systems are the ones that have been around for a very long time. When IPv4 addresses were not even near exhaustion. The old timers so to speak. If you are designing a network from the ground up nowadays it would be wise to use private addressing for internal links.

Forsaken_GA wrote: »

In the particular case I'm thinking of, the customer had their own /24, which the colo provider was announcing for them. Then the colo provider just routed the /24 over the privately addressed /30. The customer could ssh into their router by using their /24's gateway IP as the destination. As a rule, they didn't, since they didn't want the router directly accessible, instead they would ssh into a server behind their router, and then use that server to access the router. Likewise, their VPN server was behind the router.

In this type of scenario yes. It really depends on the customer's and/or ISPs preference and type of configuration etc... Many ISPs do use a /30 out of public IP space. If a customer decides to go with the "poor man's firewall/VPN" configuration with CBAC, NAT, Crypto Maps and what not on the router using an IOS firewall feature set or better with a zillion lines worth of configs then it will be a /30. I would highly advise against this type of configuration but it does exist and I have redesigned networks from this type of configuration but the /30 connection still remained.

tim100 wrote: »

In this type of scenario yes. It really depends on the customer's and/or ISPs preference and type of configuration etc... Many ISPs do use a /30 out of public IP space. If a customer decides to go with the "poor man's firewall/VPN" configuration with CBAC, NAT, Crypto Maps and what not on the router using an IOS firewall feature set or better with a zillion lines worth of configs then it will be a /30. I would highly advise against this type of configuration but it does exist and I have redesigned networks from this type of configuration but the /30 connection still remained.

I entirely agree! That's actually how I came across the folks, they needed their network fixed and it was one of my first contract jobs. The colo provider refused to route their IP space to them any other way though, so I had to deal with the /30 as a fact of life.

tim100 wrote: »

No. I see no reason to waste routable address space.

None really. But of course there are autonomous systems that are using public addresses though. Alot of these autonomous systems are the ones that have been around for a very long time. When IPv4 addresses were not even near exhaustion. The old timers so to speak. If you are designing a network from the ground up nowadays it would be wise to use private addressing for internal links.

All I'm saying, I dont know how my intelligence came into question here. I have never seen public addressing being done internally in existing networks i've administered and any networks I've ever built as a perm emp or consultant, i've used private addressing internally. My current company, back in the days before I started working for them (A large gov agency) at one time used public addresses. Some other agencies actually still do. So I am familiar with the concept, but it just didnt seem wise to me. And their reasoning was the same, because we could. It was litterally before 1918 addressing was prevalent, and wasnt an accepted practice.

As for your comments regarding my education, I have a BS and an MS in IT, and so many certs I lose track of them. All earned with blood, sweat, and tears, literally and figuratively (purple heart from wounds suffered in combat in afghanistan on patrol). I've done network administration/infantry patrol with the greatest bunch of Warriors God has ever commissioned (USMC, urggh!) on the battlefields of Afghanistan, to systems administration in the civilian gov sector, with an emphasis on security policy (directory services). I've worked as a consultant both independantly and with a var as well as with private entities. All told, i've been in IT since 2000, and i'm 27 years young. I have paid my dues, served my country, and even learned a thing or two between here and there. So, how should I take your comment?