Monday, December 16, 2013

DoD address space: it's not a conspiracy

Recently on Cryptome (the better leaks than wikileaks site), a paper appeared pointing out that BT (British Telecom) assigns all their modems an extra address in the 30.x.x.x address space, and then attaches SSH and SNMP to that address. This looks like what many ISPs do, assigning a second IP address for management, except for one thing: the 30.0.0.0/8 block is assigned to the United States Department of Defense. This has caused a fevered round of speculation that this is actually a secret backdoor for the NSA/GCHQ, so that they can secretly monitor and control people's home networks.

Maybe, but it's probably not the case. The better explanation is that BT simply chose this address space because it's non-routable. While it's assigned public address, it's only used inside the private DoD military network. Try tracerouting to that address space, you'll see that your packets go nowhere.

Thus, it's a good choice for pseudo-private address space.

This sort of thing happens a lot. I (or others I trust) have seen 1.0.0.0/24, 22.0.0.0/24, and other instances of 30.0.0.0/24 used this way. I can confirm that companies use DoD address space as private addresses. Just because it's DoD doesn't mean they route to the DoD.

The reason all these address spaces are DoD is because that's really the only source of unused IPv4 addresses left. All IPv4 address ranges have been assigned. But, the DoD has been assigned 20% of the IPv4 address space, but most of it is used within the DoD, on their own private networks, and is not routable to the outside world. Thus, if you are looking for a large chunk of "private" addresses that won't suddenly one day be assigned to Akamai or Amazon (and thus, explode in your face), then DoD addresses are the way to go.

There are a couple good reasons for going with this approach. The first is that existing private address spaces (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12) are frequently used inside a home network, and thus, might cause some routing confusion if also used outside a home gateway. The second is that for a large company like BT, with millions of customers, they may have exhausted the private address space. The 10.x.x.x network has only 16 million possible addresses, and due to the way it needs to be carved up and routed, would be useful for quite a bit fewer than that. Thus, they may need a few /8 address chunks to adequately cover everyone for a management network.

What I'm trying to get to here is "Occam's Razor". For many people, when they see the 30.0.0.0/0 address, and that it's assigned to the DoD, their simplest explanation is that the DoD is spying on people's home modems. Those of us with more experience see that the most obvious explanation is that BT chose this as pseudo-private address space.

Update:
To be clear, that paper contains nothing that is evidence of NSA spying. I may have missed something, because I only skimmed it, skipping the paranoid ravings, but none of the technical details show anything amiss. Many ISPs provide custom firmwares for the modems they sell. These firmwares typically have a management "backdoor" so that the ISP can monitor and/or control the modem. Many, many networks use publicly allocated DoD addresses inside their network as private addresses.

4 comments:

Olivier Cahagne said...

A good case to move to IPv6 for management

jared spiegel said...

lucent uses 152.148.0.0/16 for "management" on lots of their old big telco iron as if it was RFC-1918 space. not an issue, until you use that gear and are forced to either A) put a bunch of static-routes in place to get to the gear using it or B) change the gear to 1918 IPs and run the risk of losing support.

Roger Girlardi said...

What's your source for "DoD has been assigned 20% of the IPv4 address space"? I tried to confirm it and counted only 13 /8 assignements.

Michael Heister said...

It's a good case for using VRFs to separate management traffic from production traffic.