Back in January of this year (2021), something happened that caused a commotion in the networking community.\u00a0 The U.S. Department of Defense (DoD), via BGP proxy AS8003, advertised a vast amount of IPv4 address space that had been previously unannounced.\u00a0 This event got me thinking about several topics \u2013 and offers me an excuse to climb up on a soapbox and discuss a few subjects related to IPv4, IPv6, best practices, and an antiquated security mindset.<\/p>\n
Numerous other blogs, podcasts, and articles have covered the surprise DoD action, and I will not go into detail here.\u00a0 (There is a good synopsis on Kentic\u2019s web site<\/a>.)\u00a0 But to provide a quick overview, back in January, the DoD started advertising to the Internet previously unannounced IPv4 address space from a seemingly dormant, mysterious company.\u00a0 In the months thereafter, AS8003 continued to advertise more and more DoD IPv4 CIDR blocks until they were originating 764 prefixes (including multiple \/8s), accounting for roughly 175 million IPv4 addresses.\u00a0 Conspiracy theories immediately popped up.\u00a0 Was the space hijacked?\u00a0 (It turns out that was not the case.)\u00a0 Was the DoD preparing to sell their wealth of IPv4 assets?\u00a0 Was it a honey pot to collect and analyze stray packets?\u00a0 Or, possibly, a combination of the last two?\u00a0 (In a semi-official comment from the DoD\u2019s Defense Digital Service<\/a>, they stated the act was a \u201cpilot effort\u201d to \u201cassess, evaluate, and prevent unauthorized use of DoD IP address space\u2026\u201d that also \u201c\u2026may identify potential vulnerabilities.\u201d)<\/p>\n Conspiracy theories aside, one thing is for certain: \u00a0it caught nearly everyone off guard.\u00a0 Several large enterprises, and even some service providers, use the DoD space internally.\u00a0 Most had exhausted IPv4 addresses, both public and private, and were scouring the IPv4 world for \u201cfree\u201d numbers to use for internal purposes.<\/p>\n The DoD had a hand in creating the Internet, and most network engineers know they have a vast portfolio of IPv4 resources – and seemingly would never advertise that space publicly.\u00a0 So, despite their better judgment, organizations started using DoD blocks internally.\u00a0 Now those entities are in a pickle.\u00a0 Do they really know where their internal endpoint packets are going when they are destined for a server in 7.0.0.0\/8?\u00a0 Or what do they do if the DoD does sell all or part of their IPv4 assets?\u00a0 Azure or AWS could purchase blocks and use them for their IaaS clients \u2013 forcing squatters to re-number or risk losing access to legitimate Internet services.\u00a0 Obviously, this is not the best position for organizations to be in.\u00a0 Nor is it ideal for the DoD to have numerous networks using their addresses.\u00a0<\/strong><\/p>\n This DoD event brought to fore the topic of advertising one\u2019s address space.\u00a0 Or more specifically not<\/em> advertising it.\u00a0 Over the years I have come across numerous companies that opt to not advertise parts of their Provider Independent<\/a> (PI) address space.\u00a0 The reasoning is almost always that \u201cit is more secure\u201d to not advertise IPs to the public Internet.\u00a0 I suspect this comes, at least in part, from decades of network engineers using RFC 1918<\/a> addresses and NAT for public Internet access, and the security model that accompanies this architecture.\u00a0 The thought is \u201cif something is hidden, it is safer.\u201d\u00a0 There is some truth to this, but in current networking, its validity is conditional at best.\u00a0 Network Address Translation and RFC 1918 addressing were developed to prolong limited IPv4 resources, not as a security mechanism.\u00a0 It may be widely accepted as such, but we know how exploits regularly circumvent this common design.\u00a0 And a strong argument can be made that, along with a false sense of security, the added complexity of NAT can lead to misconfiguration and other administrative errors that exacerbate risk (not to mention the problems sorting through logs and translating addresses during incident triage).<\/p>\n Security experts make the case that topology-hiding is not a cornerstone of IT security.\u00a0 Using NAT and RFC 1918 address space does not specifically provide security, rather stateful inspection provides this function at the perimeter or on the host.\u00a0 This is discussed in RFC 4864<\/a>, Local Network Protection for IPv6.\u00a0 And of course, the perimeter is only one aspect of a broader security strategy and framework.<\/p>\n For those enterprises that have an IPv4 Provider Independent (PI) allocation, it should be viewed as a valuable asset.\u00a0 All five Regional Internet Registries (RIRs) have exhausted their IPv4 address pools<\/a>.\u00a0 Enterprises need to protect their PI space for internal use since acquiring more from their RIR is not an option.\u00a0 Or, if it is not needed, they can sell it on the gray market to an entity that can justify the transfer.\u00a0 (A note about the example above – the DoD\u2019s IPv4 CIDRs could be worth north of $7 billion based on the current price of $40 per IPv4 address<\/a>.)<\/p>\n My recommendation is to protect this asset by announcing it through your transit peers to the public Internet.\u00a0 If all or part of that announcement is not intended for public use, the route can simply be blackholed at the network perimeter, eliminating the attack surface.\u00a0 Having your CIDR(s) in the global table will discourage others from using those blocks for internal use, or worse yet, from squatting on them publicly.\u00a0 The advertisement of the DoD IPv4 address space could be a warning to organizations using DoD numbers internally that the practice should be discouraged and is not a long-term strategy for those entities.\u00a0 The perceived benefit of not advertising is more than offset by drawbacks and risks of not doing so.<\/p>\n Another reason to advertise the DoD IPv4 addresses may be to put them into the Internet routing tables to show proof of ownership and use as part of a preparatory step to a sale.\u00a0 The IPv4 address transfer market pricing is often based on the cleanliness and reputation of those numbers.\u00a0 The DoD could be advertising these addresses to assess and prove their reputation to derive maximum value of these assets.\u00a0 The DoD would want to get top dollar for these addresses, but if they are squatted on frequently and there is significant “backscatter” from their use on the Internet, then the price per address could be lower than the DoD desires.<\/p>\n The industry has seen organizations run out of RFC1918 address space, and now many are starting to use RFC 6598<\/a> addresses (incorrectly applied), and, as we have seen, some are using DoD and\/or other allocated but unadvertised blocks.\u00a0 Organizations are desperate, not following networking best practices, and grasping at straws.\u00a0 Do not let them take your straw!<\/p>\n If the DoD had started announcing a block of IPv6 address space, would that act have also caused such a fuss?\u00a0 I suspect anyone that even noticed would not have given it a second thought.\u00a0 Most of the discussion above has revolved around IPv4 networking and all the architectural, security, financial, and philosophical baggage that come with it.<\/p>\n One way to circumvent all these issues is to simply deploy IPv6 \u2013 architect your network for the future and let go of the past.\u00a0 Many others have taken this step.\u00a0 Previously I wrote about best practices and lessons learned<\/a> from companies that have gone IPv6-only.\u00a0 We know that IPv4 will be around for a while, but there are numerous ways for IPv6-only networks to communicate with the legacy Internet.\u00a0 IPv6 brings back the end-to-end nature of the Internet, which is much simpler and easier to operate.\u00a0 It can be secured without NAT, and it is also a model that fits well with zero trust networking.\u00a0 It is, in almost every manner, superior and leads one to ponder why we are still dealing with all the IPv4-related issues discussed above.<\/p>\n It is recommended that if you do have PI space from your RIR to advertise that block in the default free zone<\/a>.\u00a0 If that space is not to be accessed from the public Internet, simply blackhole the route.\u00a0 And follow other best practices related to your valuable IP assets such as keeping Internet Route Registries<\/a> current, as well as maintaining your organization\u2019s information in RIR databases.\u00a0 (For ARIN, you can find related information here<\/a>.)\u00a0 In addition, use an IPAM<\/a> system to properly manage your IP assets internally.<\/p>\n As the cost of IPv4 address continues to increase, and companies start to employ more desperate measures, leave the drama behind, and embrace IPv6.\u00a0 IPv6 brings back the end-to-end nature of the Internet by simplifying designs and often improving network performance.\u00a0 Stateful security and a zero trust network architecture can be employed to secure corporate assets in IPv6, just like IPv4.\u00a0 Your RIR has plenty of IPv6 address space to allocate your organization to get started, and lots more for future growth if needed.\u00a0 And when an IP-rich entity like the DoD starts advertising large swaths of IPv4 address space, you can safely ignore the news and move on to more pressing tasks.<\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" Back in January of this year (2021), something happened that caused a commotion in the networking community.\u00a0 The U.S. Department of Defense (DoD), via BGP proxy AS8003, advertised a vast amount of IPv4 address space that had been previously unannounced.\u00a0 This event got me thinking about several topics \u2013 and offers me an excuse to […]<\/p>\n","protected":false},"author":351,"featured_media":3730,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[17],"tags":[38,585,56,368],"class_list":{"0":"post-7225","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-ipv6-coe","8":"tag-ipv6","9":"tag-dod","10":"tag-ipv4","11":"tag-federal","12":"entry"},"acf":[],"yoast_head":"\nThe \u201csecurity through obscurity\u201d mindset<\/strong><\/h3>\n
Announce your IPv4 address space<\/strong><\/h3>\n
Or better yet\u2026 IPv6<\/strong><\/h3>\n
Conclusions<\/strong><\/h3>\n