IPv4 Address Space Guidelines

Audience

This document is intended for IT professionals who manage departmental networks on the UW campus.

Definitions

• Private IPv4 address space: this is not a UW-specific term. It refers to the networks defined in RFC-1918. These can reach the internet when routed through a NAT gateway, but are not directly reachable from the internet. These networks are:
  • 172.16.0.0/12
  • 192.168.0.0/16
  • 10.0.0.0/8
• Public IP address space: these are IP addresses that are reachable from the internet (subject to firewalls and other controls).
• 10net: This is UW's term for private IP addresses in 10.0.0.0/8. New network requests will be filled from this block unless there is a justification to do otherwise.
• p172: This is UW's term for private IP addresses in 172.16.0.0/12. Formerly, UW-IT allocated these addresses on a 1:1 basis with public IP address allocations, but this is no longer done and use of this block is being phased out.
• Non-routable IPv4 address space: At UW, this refers to private IP addresses in the 10.64.0.0/16 block. These may be used by anyone without coordination, and will never be allowed to route outside the subnet.
  • In addition, UW-IT does not allocate space on the campus network out of the 192.168.0.0/16 block. Due to the popularity of this block for many applications, we do not encourage its use.
• Managed firewall: this is a UW-IT service which provides UW departments, for a small one-time fee, a network perimeter access control facility.

Summary of recommendations

1. For most applications, whether edge or data center:
   1. Accept the default allocation of a 10net network.
   2. Request a Managed Firewall instance to protect it.
2. If you need a publicly routable IP address:
   1. Request a network as small as possible and use it only for devices that require it.
   2. Request a Managed Firewall instance to protect it.
3. If you know your device(s) will never need to communicate outside their own subnet:
   1. Use addresses in 10.64.0.0/16. (You do not need to request an allocation.)
   2. Request a Managed Firewall instance to protect it, with no ingress or egress allowed.
   3. Be sure you want this, because a non-routable allocation can never be made routable outside its subnet.
4. If you have an existing network allocation, regardless of type, and wish to reduce risk:
   
   1. Request a Managed Firewall instance to protect it.
   2. Migrating public address space to 10net is generally labor-intensive, and should have an economic justification. It should not be undertaken merely for security reasons.

The utility of private IPv4 address space as a security measure is very limited. 10net and p172 should not be thought of as security mitigations. The same ends can be met by the use of department-level managed firewalls, which is the security solution we recommend.

In appropriate cases, non-routed IP address space may also be used at the department's discretion, but again, this is geared toward architectural convenience and local control without coordination, and should not primarily be considered a security measure.

These recommendations apply to both wired and wireless networks, and regardless of whether DHCP is provided.

To request a new subnet or IP address block allocation, please submit the Subnet Order Form.  This ensures your request is tracked and processed correctly by UW-IT.

Detail

Benefits of private IPv4 addresses

As globally routable IPv4 space has become more scarce, UW-IT has begun routing blocks of RFC1918 IPv4 space on the campus network without public equivalents. This is a nod to the increasing economic value of public IPv4 address blocks (they will be expensive to procure, and valuable to sell).

Avoiding unnecessary use of public IPv4 addresses is therefore the fiscally responsible thing to do. Recovery of existing public IPv4 address blocks is similarly economically desirable; however, this is quite labor intensive, so may not be worthwhile in most cases.

Additionally, there is some security benefit to using private IPv4 addressing, because the address will not be directly attackable from the internet. However, the reality of current attack vectors makes this far less advantageous than was once widely assumed.

Residual risk of private IPv4 addressing

The use of private IPv4 address space as a means of reducing has some value, as it renders devices unreachable directly from the internet. However, the use of private IPv4 address space does nothing to mitigate:

• Lateral movement from UW device to UW device. Once a foothold is gained on a UW network, it makes no difference whether further targets are privately or publicly addressed.
• Interactive attacks requiring user action. End user devices are almost always able to reach the internet (via NAT). Attacks on these devices are nearly always facilitated by user activity, and in these cases, either malicious code is launched locally, or the device reaches out to a malicious endpoint to receive commands and code. None of this is impeded by private addressing.
• Risks to IPv6 devices. IPv6 has no notion of "private" addresses at all, and yet an increasing number of devices will obtain and use IPv6 addresses as soon as they are connected to a wall port. Focusing on IPv4 private addressing has no effect on IPv6 connectivity.

Further, migrating public IPv4 address space to private address space is a very labor-intensive task, requiring renumbering of thousands of devices, as well as reconfiguration of peer applications, firewalls, and other access controls. It also leaves operators with no ability to use host-based access controls for off-campus (cloud) devices, and no flexibility to allow incoming connections to an on-campus device if future needs dictate, except by changing its IP address again.

Managed firewalls

A department-level managed firewall delivers all the security benefits of private address space and more, without any of the above drawbacks:

• The primary security benefit of private IPv4 address space -- eliminating incoming connections -- is easily replicated with a basic egress-only firewall configuration.
• A managed firewall currently incurs a nominal $600 one-time cost, which is a fraction of the labor cost of converting an entire subnet from one network to another.
• A managed firewall reduces risk to IPv6 devices as well as IPv4 devices.
• Where risk appetite dictates, a managed firewall can restrict egress as well as ingress - something private addressing paired with NAT cannot do.
• Managed firewalls are a very effective way to reduce the risk of lateral movement of an attacker within UW networks.

Non-routable IP address space

In addition to managed firewalls, non-routed IP address space does have a place. IoT devices or other locally-managed devices that will never need connectivity outside their subnet may use non-routed IP address space. This address space has the added advantage that no coordination with UW networks is needed, since there will never be any possibility of addressing conflicts outside the subnet.

The use of non-routed IP address space as a security boundary sidesteps most of the disadvantages of using IPv4 private address space, except that the operator must be careful to disable IPv6 connectivity.