1 / 22

Private Addresses in Cambridge

Private Addressing. There are several types of ?private address' available, which shouldn't be confused with each otherThe main RFC (?Request for Comments") dealing with private addressing is RFC 1918, which uses the following classes: 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255 and 192.

fionnula
Download Presentation

Private Addresses in Cambridge

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Private Addresses in Cambridge Pros and Cons Kate Jeary University of Cambridge TechLink Seminar 11 June 2003

    2. Private Addressing There are several types of ‘private address’ available, which shouldn’t be confused with each other The main RFC (“Request for Comments”) dealing with private addressing is RFC 1918, which uses the following classes: 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255 and 192.168.255.254 - 192.168.0.0. The Microsoft summary of this RFC can be found at http://support.microsoft.com/default.aspx?scid=kb;en-us;142863

    3. Microsoft variations Microsoft also added APIPA (Automatic Private IP Addressing) addresses to the private address space, utilizing the classes 169.254.0.0 - 169.254.255.255. You will generally find that your system has assigned itself an address in this range if you have an ethernet card in your machine, you have not supplied an IP address and the machine can’t find a DHCP server. To check, Start>Run>cmd (or command for 98/Me) and ‘ipconfig /all’

    4. Microsoft, DHCP, NAT Microsoft, like other operating systems Linux/Unix and MacOS also utilizes DHCP style addresses, which are normally of the 192.168.x.x style. Unlike DHCP-issued addresses, but like ordinary global unique IP addresses, RFC 1918 addresses are normally permanent RFC 1918 addresses are not normally accessible from outside the institution (“cam.ac.uk”) because they are not unique.

    5. Microsoft, DHCP, NAT If you need external connectivity ie an outside client connecting to a private address in cam.ac.uk then you should normally use NAT (Network Address Translation) of some type. An example of this would be to use an ISA server and a VPN. See http://support.microsoft.com/default.aspx?scid=kb;en-us;303503 (“How to Join or |Access an Internal Domain from an External Client Using ISA Server and VPN”.) Note: PPTP is is not as secure as L2TP.

    6. Private Addressing in Cambridge In Cambridge there are two classes of private IP address. Firstly there are the ‘personal’ IP addresses. These are normally in 172.16.x.x upwards, and should be applied for (even ‘en block’) in the normal way - to IP-Register@ucs.cam.ac.uk (specifying that you want a private address) Then there are the ‘Institutional’ private addresses. These are the 10.0.x.x and 192.168 nets. The Computing Service will not route these across cam.ac.uk.

    7. Private Addressing in Cambridge In practice this means that, at the very least, you need to have your own router (and probably firewall/proxy server as well) to use these. If you have several sites and need to access all of these and are using private as well as global IP addresses you will have to consider some form of VPN/tunneling to access these sites. This is not a simple job. In general careful thought needs to be given to mixing private and global addresses.

    8. How do Private Addresses behave? Oddly enough in cam.ac.uk, the same as any other ‘global’ IP address. In other words you can have workgroups, domains, intranets (IIS for example). You can ‘browse’ your local subnet, presuming that they are all on the same ‘private’ IP subnet. You can use programs like nslookup to resolve names to addresses and addresses to names, as normal. Try resolving ‘galleon.csi.private.cam.ac.uk’. It should resolve to 172.20.7.1.

    9. How do Private Addresses behave? Unsurprisingly in normal Cambridge style, private addresses use the nameservers 131.111.8.42 and 131.111.12.20, the gateway 172.20.7.62 and the netmask of 255.255.255.0 (a class B address). A privately-addressed machine can connect to the Internet, run IIS successfully as an Intranet server (and a great more securely than a public IIS server!), send and receive email, print… What it cannot do is to accept connections from outside cam.ac.uk since the nameservers outside cam.ac.uk know nothing about it!

    10. Which machines would I want to use private addresses with? Any common desktops which have single or dedicated uses, particularly for use in labs with particular configurations, or with non-traditional software. For example, a machine configured by a consultant to use a third-party product such as MSDE, attached to a microscope. Or a application used for door-opening or security, based on a product, again, like MSDE or SQL Server.

    11. Which machines would I use private addresses with? Other examples would include self-service applications like book-issuing, general use machines not ‘owned’ by any one person, portables… It could work well for Colleges, but it might well annoy some students who wanted external users to be able to connect to it (eg P2P software). It would also probably be useful for general purpose library machines, with some provisos. For example access to some electronic resources (validated by IP number, for example) could be a problem.

    12. Could I use these addresses with servers/domains? Yes, you could, but there are obvious caveats. Servers which provide external services are not good candidates. For example a standard webserver (as distinct from an intranet) cannot be run on a private address. Mail servers (with the possible exception of Microsoft Exchange) should not be run on a private address. Databases which need to be widely accessible externally should not be run on a private address.

    13. And the exceptions to these rules? If servers like these are only accessed occasionally externally, for example, for management reasons It should be possible to use a Cambridge VPDN connection to access them. The Cambridge VPDN setup uses the canonical cam.ac.uk nameservers which know about private.cam.ac.uk - Cambridge machines with private addresses. It is however unlikely that Network-Support will look sympathetically on private users dong so!

    14. Microsoft Exchange It should be perfectly possible (and even desirable!) to hide a Microsoft Exchange server behind ppsw.cam.ac.uk. If OWA (Outlook Web Access) is needed then Microsoft suggest using a separate machine with a global address to connect to the Exchange server. However this is in theory. NT-Support haven’t yet tried to do this (though others might have). Considering Microsoft Exchange boxes are hacker targets it is a solution worth considering.

    15. And more exceptions? Library machines which are primarily geared to electronic resources (rather than web access to the UK catalogue) are not necessarily good candidates for authentication reasons. If a library machine uses the Cambridge webcache to access a 'cam.ac.uk' only website, then this should work. Actually it may be more likely to work than not using the webcache. The address presented to the site should be that of the webcache. If however the the resource (a web site, a CD) is restricted to a Department or College then this will fail (wrong IP address).

    16. And more exceptions? Remember that as one of the cache webmaster says; “The web” involves a lot more than web servers on port 80 these days, and many of the protocols supported either natively by browsers or by plugins are not proxyable and therefore need direct access to the target server, hence global addresses for the clients. The pragmatic solution to hitting that problem would be manual configuration with the browser configured to use the cache for SSL and with the "no proxy“ exclusion limited to just cam.ac.uk (still don't want pointless CUDN traffic through the cache...).

    17. Microsoft Protocols and Private Addressing Browsing between subnets is always a problem, and using private addresses is no different from the usual setup in this respect. The usual solutions apply, which are:- Register the machine(s) with the CS WINS servers, and the clients to use the WINS servers Set up a pair of WINS servers yourself Use an LMhosts file containing your NetBIOS name and their mapping which you copy to all machines Address the other machine as \\<Private IP address\Sharename if using NetBIOS over TCP/IP (Windows 2000, XP and 2003)

    18. Microsoft Protocols and Private Addressing Use a tunnel/VPN setup Note: This 'solves' the access to resources issue. It doesn't necessarily mean that all the Windows boxes are listed in Network Neighbourhood! If your users insist on browsing for resources, remind them that in Windows XP and/or Me this can look like an attack to another machine’s owner (Universal Plug and Play). If they need permanent shares, set them up for them!

    19. Microsoft Domains and Private Addressing There are obvious issues here to do with nameservers. For those people who run an unofficial 'cam.ac.uk' zone to get over the dynamic updates problem, private.cam.ac.uk can be downloaded in the usual way. You may want to separate your own Department or College's private addresses in which case you might download <domain>.private. by itself. There are obvious complications with this setup (other private.cam.ac.uk records for example). The best solution is to keep such a domain as authoritative private.<domain>.cam.ac.uk only, and to use IP forwarders for all other cam.ac.uk (including <domain>.cam.ac.uk) queries.

    20. Microsoft Domains and Private Addressing You will need to setup your reverse lookup zones for the private IP subnets if you use Windows DNS. Private addressing should not otherwise affect ADS. If you use Microsoft TCP/IP printing, printers which have global IP addresses should not prove a problem. However it is reasonably unlikely that you would want to have an entire domain with private addressing. The best candidates are probably standalone servers running (mainly) cam-only services

    21. Microsoft Applications There are the usual potential for problems here. There was a problem with SQL Server 2000 and private addresses which was fixed in SP2. In general, you will probably get the occasional glitch, but no more than usual with Microsoft. It is probably best not to mix private and global addresses more than you have to.

    22. Security Private addresses are undoubtedly a bonus in terms of security, particularly considering how many scans and hacker attacks are made against cam.ac.uk. However they will not protect you against internal attack from zombies (machines already compromised) within Cambridge! They are not a substitute for keeping machines patched and secure, merely a potential additional layer of security (“defence in depth”).

    23. The Future Private addressing was made popular by the growing shortage of addresses in the current (IPV4) way of naming machines. However over the next few years we will be moving to IPV6, which should get us over this shortage. So it is possible that the future will not be a world full of private or NAT addresses behind firewalls and proxies. But given the security (or lack of it!) on the Internet I cannot see this changing soon…

More Related