13

Does it make any difference from a security perspective to use any other IP address ranges than RFC1918 addresses within LAN segments?

Peter Mortensen
  • 877
  • 5
  • 10
cyzczy
  • 1,518
  • 5
  • 21
  • 34
  • 4
    Are we to assume that this is for a network that has any reason whatsoever to communicate with any host on the Internet, either now or in the future? Remember, RFC 1918 (and [some of its companions](https://michael.kjorling.se/computers/internet-reservations/examples-and-documentation)) is only relevant on an Internet-connected network; if you are building your all own IP network that does not need to communicate with the Internet, you can of course do what you want, at the risk of confusing whoever comes after you to manage it. – user Mar 01 '17 at 19:58
  • 2
    See also [Are there any advantages to using someone else's publicly-routable IPv4 addresses locally?](http://serverfault.com/q/520952/126632) – Michael Hampton Mar 01 '17 at 23:16

1 Answers1

48

No, and it will give you nothing but headaches.

What happens when your email server has to email an MTA that just so happens to have the same IP address as a machine in your subnet? Or when that website your user needs to go to has the same IP address as a machine in your network? Default routes are created saying "If this machine doesn't exist in this network, send it to through the gateway to find said machine", but if that machine is found on your network it will never reach the gateway.

I assume one might think that there is a security benefit by using unconventional IP addressing might deter an attacker footprinting your network, when in actuality if he pops a box he's going to look at the IP address scheme and just scan that network. It won't matter if the network is 10.10.0.0/16 or 123.123.123.0/24.

Private address ranges were invented for a reason and not using them provides no additional security benefits. There is a litany of reasons why "Security through Obscurity" is not a sound security concept, so please save yourself the hassle and just use those in the RFC.

DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47
  • 7
    Yeah, do not under any circumstances do this. One benefit of RFC1918 is that is isn't (or should not be) publicly routable (avoiding some random stranger getting sent something important). [BCP-38](http://www.bcp38.info/index.php/Main_Page) compliant ISPs should also be dropping RFC1918, again, avoiding a number of data leakage issues. – iwaseatenbyagrue Mar 01 '17 at 15:29
  • 11
    I was contracted to setup a network, and halfway through, the customer asked why I'm using the standard `192.168.0.0/24` block internally. He claimed that hackers would know that, and he wanted to throw them off. After a few minutes of arguing, and me assuring him it is not any more secure, he let me set up my way, then changed it as I was leaving. Just shook my head and left... Got called back in a few days later to get the Internet working again. – Canadian Luke Mar 01 '17 at 19:37
  • 3
    @CanadianLuke I hope you changed it to 192.168.255.0/24. – user Mar 01 '17 at 19:57
  • @Michael I should have changed it to 10.1.255.0/8... The good old days... – Canadian Luke Mar 01 '17 at 20:12
  • 4
    @CanadianLuke I think there would be less chance of them noticing if you used something like: `172.29.86.0/24`. In all seriousness though, using something other than `192.168.0.0/24` is a good practice because it reduces the probability of collisions if you ever need to merge two LANs in the future. That concern is actually significant enough that in the case of IPv6 it was even made mandatory to randomize 40 bits of the address when using local addresses. – kasperd Mar 01 '17 at 22:49
  • 2
    Just one point: it doesn't matter if the IP is actually used by any computer on the local network — as soon as the IP is part of the local network range, whether it is actually used or not, traffic for that IP won't get out. – jcaron Mar 01 '17 at 23:34
  • @jcaron Good point! You're absolutely correct. – DKNUCKLES Mar 02 '17 at 00:39
  • @CanadianLuke Well, if it is /8, it is 10.0.0.0 and not 10.1.255 – Hagen von Eitzen Mar 02 '17 at 07:04
  • 1
    @HagenvonEitzen We are straying from the topic of the question *and* the answer, but first address bit set to 0 originally indicated class A. Thus first octet 0 through 127 were by definition what we now refer to as /8. Hence, I believe, Canadian Luke's reference to "the good old days". Classful addressing had certain advantages with the extremely limited hardware of the day, but especially with the boundaries chosen was hugely wasteful as the Internet became far more popular than its designers had originally envisioned. – user Mar 02 '17 at 07:31