Private Address Routing


IPv4 Address Space Guidelines

Audience

This document is intended for IT professionals who manage departmental networks on the UW campus.

Definitions

Summary of recommendations

  1. For most applications, whether edge or data center:
    1. Accept the default allocation of a 10net network.
    2. Request a Managed Firewall instance to protect it.
  2. If you need a publicly routable IP address:
    1. Request a network as small as possible and use it only for devices that require it.
    2. Request a Managed Firewall instance to protect it.
  3. If you know your device(s) will never need to communicate outside their own subnet:
    1. Use addresses in 10.64.0.0/16. (You do not need to request an allocation.)
    2. Request a Managed Firewall instance to protect it, with no ingress or egress allowed.
    3. Be sure you want this, because a non-routable allocation can never be made routable outside its subnet.
  4. If you have an existing network allocation, regardless of type, and wish to reduce risk:
    1. Request a Managed Firewall instance to protect it.
    2. Migrating public address space to 10net is generally labor-intensive, and should have an economic justification. It should not be undertaken merely for security reasons.

The utility of private IPv4 address space as a security measure is very limited. 10net and p172 should not be thought of as security mitigations. The same ends can be met by the use of department-level managed firewalls, which is the security solution we recommend.

In appropriate cases, non-routed IP address space may also be used at the department's discretion, but again, this is geared toward architectural convenience and local control without coordination, and should not primarily be considered a security measure.

These recommendations apply to both wired and wireless networks, and regardless of whether DHCP is provided.

To request a new subnet or IP address block allocation, please submit the Subnet Order Form.  This ensures your request is tracked and processed correctly by UW-IT.

Detail

Benefits of private IPv4 addresses

As globally routable IPv4 space has become more scarce, UW-IT has begun routing blocks of RFC1918 IPv4 space on the campus network without public equivalents. This is a nod to the increasing economic value of public IPv4 address blocks (they will be expensive to procure, and valuable to sell).

Avoiding unnecessary use of public IPv4 addresses is therefore the fiscally responsible thing to do. Recovery of existing public IPv4 address blocks is similarly economically desirable; however, this is quite labor intensive, so may not be worthwhile in most cases.

Additionally, there is some security benefit to using private IPv4 addressing, because the address will not be directly attackable from the internet. However, the reality of current attack vectors makes this far less advantageous than was once widely assumed.

Residual risk of private IPv4 addressing

The use of private IPv4 address space as a means of reducing has some value, as it renders devices unreachable directly from the internet. However, the use of private IPv4 address space does nothing to mitigate:

Further, migrating public IPv4 address space to private address space is a very labor-intensive task, requiring renumbering of thousands of devices, as well as reconfiguration of peer applications, firewalls, and other access controls. It also leaves operators with no ability to use host-based access controls for off-campus (cloud) devices, and no flexibility to allow incoming connections to an on-campus device if future needs dictate, except by changing its IP address again.

Managed firewalls

A department-level managed firewall delivers all the security benefits of private address space and more, without any of the above drawbacks:

Non-routable IP address space

In addition to managed firewalls, non-routed IP address space does have a place. IoT devices or other locally-managed devices that will never need connectivity outside their subnet may use non-routed IP address space. This address space has the added advantage that no coordination with UW networks is needed, since there will never be any possibility of addressing conflicts outside the subnet.

The use of non-routed IP address space as a security boundary sidesteps most of the disadvantages of using IPv4 private address space, except that the operator must be careful to disable IPv6 connectivity.