Why does Penn State use real IP Addresses?

By Chris Kauffman on August 4, 2008 10:01 PM | 3 Comments | No TrackBacks

I was listening to Security Now Episode 154 on the way home from work today when I heard on this Q&A show the second Penn State related IP addressing letter. This time, John Baskwill from Penn State Harrisburg was replying to a student submitted question from many moons ago regarding the assignment of public IPv4 addresses to student computers. Penn State, like much of the world, is really beginning to feel the squeeze on its pool of public IPv4 addresses. These 32 bit addresses are slated to run out in a couple of years. See Derek Morr's Living with IPv6 for a real-time counter.

As a systems engineer for ITS, I am always interested in how we provision our IT resources. Ever since arriving at the University 3 years ago, I have been puzzled by our consistent use of public, aka "real", addresses on every network device. Every computer, every server, every printer. I don't have the answers, but I would ask why this policy remains the same. I never argue with a decision like this one was made (probably 20 years ago, when all I had was a Commodore 64), but tools and needs change over time. With technologies such as VPNs, stateful NAT, proxy servers, et. al., we could provide more secure network architectures while preserving these scarce IPv4 resources. Sure these technologies may be more complicated than our existing strategy, but organizations larger than Penn State use them in business every day. How can our organization continue to justify using well over a hundred thousand of these addresses?

In my past life, we had over 1,000 devices on our networks at three domestic locations, but were only using about 10 of our public addresses provided by our ISP. Using RFC 1918 private addressing, we worked quite happily without exposing every system to the Internet. Would you agree that it is time to revisit this aspect of our design philosophy? Take the Stubbs Challenge and leave a comment.

Categories:

Tags:

No TrackBacks

TrackBack URL: https://blogs.psu.edu/mt4/mt-tb.cgi/33087

3 Comments

Paul Carlisle Kletchka | August 5, 2008 8:56 AM | Reply
I think you're on to something here, Chris - but do you know the story about the apes in a cage with stairs leading to a banana? If not, I'd be happy to share it with you...
Bill | August 5, 2008 9:25 AM | Reply
Is it a policy? I think it's a convenience, at least. If you want any inbound traffic to your network that wasn't initiated from within, NAT just adds more hurdles. NAT isn't needed for protection; firewalls do just fine with public addressing. Housing could use it on the student networks, as they block all incoming anyway. That's about the only area where I see a blanket "Use NAT" to be reasonable. As far as running out of IPv4, well, NAT helps, but I would hate to use it as an excuse not to adopt v6 more quickly.
Derek Morr | August 5, 2008 10:38 AM | Reply
I don't think it's a policy, just an entrenched practice. Historically, public v4 addresses weren't scarce, so we used them wherever possible. There are two arguments to use private addresses: security and scarcity. I think the security argument is false. If you're using NAT, it's possible to tunnel through (some) NATs, and many attacks don't require the attacker to be able to open a connection to the victim. If you're not using NAT, you can still get to private addresses from inside the PSU network, and I think our network is more porous than many believe (how many people migrate laptops, smartphones, etc from home to work and back again on a daily basis?). The only way to prevent these sort of attacks are firewalls, anti-virus/spyware tools, etc. If you're using all of those, why use private IPs? Further, it's not possible to proxy all protocols. And some protocols do nasty things like embed IP addresses into various data structures (such as Kerberos, FTP and SAML, to name three off the top of my head). You can certainly mitigate these issues, but it's extra work. Using private addresses doesn't buy you much extra security, and it restricts what you can do. Frankly, I think it's more hassle than its worth in many cases. Certainly we need to keep it around, since so many people seem to want it and since PCI-DSS requires it. So that leaves us with the v4 address scarcity argument. I'll make two comments here. One, PSU has a sizable amount of unused IPv4 addresses (large portions of the two /16s that TNS does not control - CSE's and Hershey's). Two, IPv6 is the long-term solution to this problem, but it will be a very long time coming.

Leave a comment

Call Chris at Work

Using a SIP SoftPhone

Be My Netflix Friend

Do you want to be my Netflix friend?

My del.icio.us Network

Subscribe

Categories

Monthly Archives

Join my Facebook Blog Network

Blog Network:
Blog Networks
Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 4.24-en

Search

Pages

About this Entry

This page contains a single entry by Chris Kauffman published on August 4, 2008 10:01 PM.

I, Robot was the previous entry in this blog.

Yellow Lines and Dead Armadillos is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.