Private Addresses in Cambridge

1
Private Addresses in Cambridge

• Pros and Cons
• Kate Jeary
• University of Cambridge TechLink Seminar
• 11 June 2003

2
Private Addressing

• There are several types of private address
  available, which shouldnt be confused with each
  other
• The main RFC (Request for Comments) dealing
  with private addressing is RFC 1918, which uses
  the following classes 10.0.0.0 - 10.255.255.255,
  172.16.0.0 - 172.31.255.255 and 192.168.255.254 -
  192.168.0.0.
• The Microsoft summary of this RFC can be found at
  http//support.microsoft.com/default.aspx?scidkb
  en-us142863

3
Microsoft variations

• Microsoft also added APIPA (Automatic Private IP
  Addressing) addresses to the private address
  space, utilizing the classes 169.254.0.0 -
  169.254.255.255.
• You will generally find that your system has
  assigned itself an address in this range if you
  have an ethernet card in your machine, you have
  not supplied an IP address and the machine cant
  find a DHCP server.
• To check, StartgtRungtcmd (or command for 98/Me)
  and ipconfig /all

4
Microsoft, DHCP, NAT

• Microsoft, like other operating systems
  Linux/Unix and MacOS also utilizes DHCP style
  addresses, which are normally of the 192.168.x.x
  style.
• Unlike DHCP-issued addresses, but like ordinary
  global unique IP addresses, RFC 1918 addresses
  are normally permanent
• RFC 1918 addresses are not normally accessible
  from outside the institution (cam.ac.uk)
  because they are not unique.

5
Microsoft, DHCP, NAT

• If you need external connectivity ie an outside
  client connecting to a private address in
  cam.ac.uk then you should normally use NAT
  (Network Address Translation) of some type.
• An example of this would be to use an ISA server
  and a VPN. See http//support.microsoft.com/defaul
  t.aspx?scidkben-us303503 (How to Join or
  Access an Internal Domain from an External
  Client Using ISA Server and VPN.)
• Note PPTP is is not as secure as L2TP.

6
Private Addressing in Cambridge

• In Cambridge there are two classes of private IP
  address.
• Firstly there are the personal IP addresses.
  These are normally in 172.16.x.x upwards, and
  should be applied for (even en block) in the
  normal way - to IP-Register_at_ucs.cam.ac.uk
  (specifying that you want a private address)
• Then there are the Institutional private
  addresses. These are the 10.0.x.x and 192.168
  nets. The Computing Service will not route these
  across cam.ac.uk.

7
Private Addressing in Cambridge

• In practice this means that, at the very least,
  you need to have your own router (and probably
  firewall/proxy server as well) to use these.
• If you have several sites and need to access all
  of these and are using private as well as global
  IP addresses you will have to consider some form
  of VPN/tunneling to access these sites.
• This is not a simple job.
• In general careful thought needs to be given to
  mixing private and global addresses.

8
How do Private Addresses behave?

• Oddly enough in cam.ac.uk, the same as any other
  global IP address. In other words you can have
  workgroups, domains, intranets (IIS for example).
• You can browse your local subnet, presuming
  that they are all on the same private IP
  subnet.
• You can use programs like nslookup to resolve
  names to addresses and addresses to names, as
  normal.
• Try resolving galleon.csi.private.cam.ac.uk. It
  should resolve to 172.20.7.1.

9
How do Private Addresses behave?

• Unsurprisingly in normal Cambridge style, private
  addresses use the nameservers 131.111.8.42 and
  131.111.12.20, the gateway 172.20.7.62 and the
  netmask of 255.255.255.0 (a class B address).
• A privately-addressed machine can connect to the
  Internet, run IIS successfully as an Intranet
  server (and a great more securely than a public
  IIS server!), send and receive email, print
• What it cannot do is to accept connections from
  outside cam.ac.uk since the nameservers outside
  cam.ac.uk know nothing about it!

10
Which machines would I want to use private
addresses with?

• Any common desktops which have single or
  dedicated uses, particularly for use in labs with
  particular configurations, or with
  non-traditional software.
• For example, a machine configured by a
  consultant to use a third-party product such as
  MSDE, attached to a microscope.
• Or a application used for door-opening or
  security, based on a product, again, like MSDE or
  SQL Server.

11
Which machines would I use private addresses with?

• Other examples would include self-service
  applications like book-issuing, general use
  machines not owned by any one person,
  portables
• It could work well for Colleges, but it might
  well annoy some students who wanted external
  users to be able to connect to it (eg P2P
  software).
• It would also probably be useful for general
  purpose library machines, with some provisos. For
  example access to some electronic resources
  (validated by IP number, for example) could be a
  problem.

12
Could I use these addresses with servers/domains?

• Yes, you could, but there are obvious caveats.
• Servers which provide external services are not
  good candidates.
• For example a standard webserver (as distinct
  from an intranet) cannot be run on a private
  address.
• Mail servers (with the possible exception of
  Microsoft Exchange) should not be run on a
  private address.
• Databases which need to be widely accessible
  externally should not be run on a private address.

13
And the exceptions to these rules?

• If servers like these are only accessed
  occasionally externally, for example, for
  management reasons
• It should be possible to use a Cambridge VPDN
  connection to access them.
• The Cambridge VPDN setup uses the canonical
  cam.ac.uk nameservers which know about
  private.cam.ac.uk - Cambridge machines with
  private addresses.
• It is however unlikely that Network-Support will
  look sympathetically on private users dong so!

14
Microsoft Exchange

• It should be perfectly possible (and even
  desirable!) to hide a Microsoft Exchange server
  behind ppsw.cam.ac.uk.
• If OWA (Outlook Web Access) is needed then
  Microsoft suggest using a separate machine with a
  global address to connect to the Exchange server.
• However this is in theory. NT-Support havent yet
  tried to do this (though others might have).
• Considering Microsoft Exchange boxes are hacker
  targets it is a solution worth considering.

15
And more exceptions?

• Library machines which are primarily geared to
  electronic resources (rather than web access to
  the UK catalogue) are not necessarily good
  candidates for authentication reasons.
• If a library machine uses the Cambridge webcache
  to access
• a 'cam.ac.uk' only website, then this should
  work. Actually it may be more likely to work than
  not using the webcache.
• The address presented to the site should be that
  of the webcache.
• If however the the resource (a web site, a CD) is
  restricted to a Department or College then this
  will fail (wrong IP address).

16
And more exceptions?

• Remember that as one of the cache webmaster says
  The web involves a lot more than web servers on
  port 80 these days, and many of the protocols
  supported either natively by browsers or by
  plugins are not proxyable and therefore need
  direct access to the target server, hence global
  addresses for the clients.
• The pragmatic solution to hitting that problem
  would be manual configuration with the browser
  configured to use the cache for SSL and with the
  "no proxy exclusion limited to just cam.ac.uk
  (still don't want pointless CUDN traffic
• through the cache...).

17
Microsoft Protocols and Private Addressing

• Browsing between subnets is always a problem, and
  using private addresses is no different from the
  usual setup in this respect.
• The usual solutions apply, which are-
• Register the machine(s) with the CS WINS servers,
  and the clients to use the WINS servers
• Set up a pair of WINS servers yourself
• Use an LMhosts file containing your NetBIOS name
  and their mapping which you copy to all machines
• Address the other machine as \\ltPrivate IP
  address\Sharename if using NetBIOS over TCP/IP
  (Windows 2000, XP and 2003)

18
Microsoft Protocols and Private Addressing

• Use a tunnel/VPN setup
• Note This 'solves' the access to resources
  issue. It doesn't necessarily mean that all the
  Windows boxes are listed in Network
  Neighbourhood!
• If your users insist on browsing for resources,
  remind them that in Windows XP and/or Me this can
  look like an attack to another machines owner
  (Universal Plug and Play).
• If they need permanent shares, set them up for
  them!

19
Microsoft Domains and Private Addressing

• There are obvious issues here to do with
  nameservers.
• For those people who run an unofficial
  'cam.ac.uk' zone to get over the dynamic updates
  problem, private.cam.ac.uk can be downloaded in
  the usual way.
• You may want to separate your own Department or
  College's
• private addresses in which case you might
  download
• ltdomaingt.private. by itself.
• There are obvious complications with this setup
  (other
• private.cam.ac.uk records for example).
• The best solution is to keep such a domain as
  authoritative private.ltdomaingt.cam.ac.uk only,
  and to use IP forwarders
• for all other cam.ac.uk (including
  ltdomaingt.cam.ac.uk) queries.

20
Microsoft Domains and Private Addressing

• You will need to setup your reverse lookup zones
  for the private IP subnets if you use Windows
  DNS.
• Private addressing should not otherwise affect
  ADS.
• If you use Microsoft TCP/IP printing, printers
  which have global IP addresses should not prove a
  problem.
• However it is reasonably unlikely that you would
  want to have an entire domain with private
  addressing.
• The best candidates are probably standalone
  servers running (mainly) cam-only services

21
Microsoft Applications

• There are the usual potential for problems here.
  There was a problem with SQL Server 2000 and
  private addresses which was fixed in SP2.
• In general, you will probably get the occasional
  glitch, but no more than usual with Microsoft.
• It is probably best not to mix private and global
  addresses more than you have to.

22
Security

• Private addresses are undoubtedly a bonus in
  terms of security, particularly considering how
  many scans and hacker attacks are made against
  cam.ac.uk.
• However they will not protect you against
  internal attack from zombies (machines already
  compromised) within Cambridge!
• They are not a substitute for keeping machines
  patched and secure, merely a potential additional
  layer of security (defence in depth).

23
The Future

• Private addressing was made popular by the
  growing shortage of addresses in the current
  (IPV4) way of naming machines.
• However over the next few years we will be moving
  to IPV6, which should get us over this shortage.
• So it is possible that the future will not be a
  world full of private or NAT addresses behind
  firewalls and proxies.
• But given the security (or lack of it!) on the
  Internet I cannot see this changing soon