Hendrik Lüth

A nightmare on NAT-street

As Halloween is today, I’d like to tell you a spooky story about IPv4-adresses and historical mistakes made by network-administrators a long time ago, without knowing it would doom the network for decades!

Flashback – somewhere in Germany in the 1990s, a small company in the middle of nowhere. The officials decided that they want to be future-proof, so they set up a token-ring network and decide for an address-pool. There are still plenty IPv4-adresses available, so why care? If we can’t ping addresses from the subnet it is probably not used or routed.

The year 2018 – somewhere in Germany, the same company, I arrive to set up a new core-router for the company, they even got decent WiFi by now. I connect my serial-cable and type in: „show ip route“. My face turns white. Never have I seen this cruelty before. The whole routing-table is filled with public IPv4-addresses, that belong to any other AS, but not to this small company.

„Yeah, we know, but who cares, we have NAT, right?“ said the CTO to me, when I asked for a reason. „It grew historical, you know? We thought about changing it but it’s so much work and we haven’t had problems.“ he went on. I swallowed some mean words and started to explain why this is a bad Idea and what could go wrong. Slowly he started to understand what it actually means to steal IPs and we decided on a plan to migrate everything into private networks and also different VLANs. Having the whole company on a single /16, including Router, Server, Production and Users, is a really bad Idea, especially if you have no kind of network access control and have private smartphones in this subnet.

„It has grown historical“ – just another wording for „someone fucked up and we haven’t fixed it since then“. But how can you make sure the addresses are private and can be used? It’s quite simple: There is an RFC for it. RFC 1597. The addresses are the following:
10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. In total that’s nearly 18 Million addresses and that should be enough.

There is also a much easier way to fix the problem with the small IP-space of IPv4. The solution is already over 20 years old and is called IPv6. The only two reasons to not deploy IPv6 in you network is because you either have no experience with it or you hardware doesn’t support it. Both can be easily changed, you just need to get up and start implementing it. IPv6 is not scary, it makes a lot easier.

(And to avoid a post like this in 20 years: there is also a private address-space in IPv6)

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.