The shortness of the IP address is short of years, and the growth is due decades. The address allocation of the early 1990s has caused great impact on the Internet in 2021. However, no one can expect the Internet to develop rapidly, and IPv4 addresses become scarce resources.

On April 24, according to the Washington Post and the Associated Press, a department of the US Department of Defense Defense Digital Service (DDS) for the US DDS, the Global Resource Systems LLC (GRS Co., Ltd.) registered in Florida Nominal, using BGP (Boundary Gateway Protocol) to the global routing table to declare address segment belonging to the US Department of Defense. The so-called declaration address is to let these addresses can be accessed directly on the Internet.

Since these addresses belong to the US Department of Defense, what is the problem with the company issued these addresses on the Internet?

There is no impact on the network that follows the network protocol and normally allocating the intranet address. However, internal networks using public networks may encounter two problems:

This approach destroys the rules of the Internet, which may cause the intranet to not access the Internet service. Configuring the network that is not in safe will be sent to the Internet only within the Internet.

Let’s first explore why the phenomenon of using the public network address in the intranet.

Most readers know that the country has vigorously advanced IPv6 in the past two years, and the purpose is to fundamentally solve the shortage of IPv4 address shortages in my country. The shortage of IPv4 addresses is the common problem facing the world, but not only the “public network” IPv4 address shortage, but the “private network” IPv4 address behind each NAT mechanism also has a severe address shortage, which is in large and medium-sized More obvious in the network.

The following addresses only assigned to the US Department of Defense before January, and did not use BGP to announce to the global.

These addresses range, including:

6.0.0.0 – 6.255.255.255.255.255.255.255.255.255.255.255.255.255.255.255.255.255.2555.255.255.25528.255.255.25528.0.4. 0 – 28.255.255.255.25.255.255.255.4 – 30.255.2555.255.255.2555.25.255.2555.25.255.2 – 5555.255.255.2555.255.255.255.255215.255.255.255215.0.0.0 – 215.255.255.255

If you manage a large and medium-sized network, and the above address is used inside, immediately block the access to these addresses immediately, and detailed steps.

RFC 1918 specifies the private network address segments that can be used within three organizations:

10.0.0.0 – 10.255.255.2 – 172.31.255.255192.168.0 – 192.168.0 – 192.168.255.255

The largest “private network” address segment 10.0.0.0 – 10.255.255.255 is the first choice for large and medium-sized networks.

The first section is 10 unchanged, and the fourth paragraph is generally used to identify host addresses within a network, and the second third paragraph is used to identify different departments or geographic locations, so the third section of the second section determines one / 24 Easy to identify subnets.

Such a network is theoretically carrying 2 ^ 16 = 65536 subnets. The allocation in reality is quite thick. In order to facilitate human identification, it is often assigned a piece of tens of / 24 subnets for a function block, such as 10.20.20.0. / 24, 10.200.20.0/24. The organizational structure is slightly complicated or often changed, and the address will soon be unassigned.

At this time, there will be a lot of network engineers to use 1, 2, 3, 4, 5, 6, 7, 8, 9, 11, 20, 30, 40, 50 …, etc., there will be special IP addresses. Net use.

That’s why some of these strange addresses will appear inside the network.

Phenomenon 1: Innernet does not access Internet services normally

The above address appears to use the BGP declaration on the Internet. However, once these addresses begin to use or sell on the Internet, they begin to declare through BGP, soon these addresses will begin to carry a variety of Internet services.

At this time, in this case, the network is configured with these items that should belong to the public network address, and the user will find some websites can’t be opened. This is because the packet is influenced by the routing entry when flowing through the internal network router, and is forwarded to the intranet corresponding to the Internet, and these network segments are often available without users who need access. The most classic example is that the cloudflare starts using 1.1.1.1 in 2018, which has discovered that many users cannot access, except for some operators’ configuration issues, there are more than 1.1.1.1. routing.

Phenomenon 2: Only internal packets are sent to the internet

The above situation is limited to the inner network corresponding address provides the business on the Internet, and the US Department of Defense issues its own address on the Internet, and what kind of impact will there be a new address?

Many configurations of configuring errors, when meeting the following conditions, the internal data package will reach the US Department of Defense GRS network:

Using the address segment that does not belong to its own (this example is the US military address) Internal network routing table does not have a corresponding item boundary network device and not configured the corresponding ACL or security policy blocks these addresses default routes point to the Internet interface And can access the online upstream operators do not do special processing for these addresses

The readers of the eye must be found, there will be a network that the destination in the private network reaches the US Department of Defense control, which has serious information security risks.

GRS can analyze all the data packets entering their network:

For TCP sessions, you can build a server respond to the client, which will lead to sensitive data; UDP is a connectionless protocol, the client sends sensitive data does not need to be set up with the server side; statistics single original address The destination address and port can build the address corresponding to the server and port list of the intranet.

According to the public information, some public clouds, private clouds, and operators, there are different levels of use have been allocated to foreign governments, military, and company public network addresses. It can be thought that the internal network uses the mode of the public network address for a long time, and the sensitive data caused by false configuration is inevitable, and it is currently happening.

How should network administrators remedy for networks that have already started using public network addresses in the intranet?

(1) Check the routing table of your network, find out that the RFC1918, RFC3927, RFC6598 defined address range is not part of the Internet operator or CNNIC, APNIC and other region NICs allocated to their own public network address.

(2) If the above address is present, the remedial program is divided into two cases:

Use BGP interconnection with superiors. On the Internet boundary router running BGP, use the Route-Map and other routing policy tools, in the BGP configuration associated with the ISP router, the two-way filter is filtered off. At the same time, the black hole routes are discarded by the packet of the above address on the boundary device. There is no BGP relationship with ISP, just ISP’s end customers. On boundary routers or firewalls, configure ACL, security policies, or black routing, and discard the packet of the above address on the boundary device.

(3) After the implementation of the remedy, choose a thoroughly repair program for internal use of public network addresses:

Migrate internal to IPv6, completely avoiding the use of IPv4 addresses. Note that IPv6’s address should be obtained by normal channel applications. If you don’t need to access the Internet, you can use the IPv6ULA address segment, that is, the second half of the fd00 :: / 8 of FC00 :: / 7, see RFC4193. Unable to migrate to IPv6 or expected to use the application of more than 5 to 10 years, formulate IP redistribution planning, and use NAT help smooth transition during the transition period.

(4) Future network address planning should consider the following:

Do not steal the IP address of the IP address that has been assigned to others, the new network preferred IPv6 single-stamped structure regardless of IPv4 or IPv6, it should be clearly clarified in the binary boundary division address segment, configure security policies in the network boundary to prevent address forgery and data disclosure.

(IANA IPv4 Special-Purpose Address Registry)

(Iana IPv6 Special-Purpose Address Registry)

Conclusion

The shortness of the IP address is short of years, and the growth is due decades. The address allocation of the early 1990s has caused great impact on the Internet in 2021. However, no one can expect the Internet to develop rapidly, and IPv4 addresses become scarce resources.

Fortunately, using the address owned by others, destroying the rules of the Internet operation, on the one hand, as the transfer of IPv4 addresses will form an obstacle to the future interconnection, on the other hand, it has caused great information security risks.

About the US Department of Defense for the US Department of Defense in June 2020 and subsequent newspapers and subsequent: Processing the IPv4 Address House Amendment contains a provision (Article 1088).This will ask the US Department of Defense to sell some IPv4 address blocks in ten years.There are no similar regulations in the Senate Act.The House retreat.

Source: https://www.congress.gov/congressal-report/116th-congress/House-Report/333/1