[ale] [OT] Voicepulse question

Michael H. Warfield mhw at wittsend.com
Thu Dec 9 17:18:04 EST 2004 

On Tue, Dec 07, 2004 at 11:20:21PM -0600, Aditya Srinivasan wrote:
> Hi Geoffrey,

> On Tue, 7 Dec 2004, Geoffrey wrote:

> > Aditya Srinivasan wrote:
> > >>??? dark addressess ???
> > > I've always thought that IP addresses behind a NAT were called 'dark' ... 
> > > since you cant see them from the outside.
> > > 
> > > But a very quick search on google does not seem to indicate any such 
> > > nomenclature.
> > > Will have to think about where I learnt this :)

> > Private ip is the terminology I've always seen.

> I agree. IP addresses used with NAT are always private ... 10.0.0.0 
> /172.16.0.0 / 192.168.0.0
> No point using "public" adddresses with NAT. In theory, however one could 
> do so.

	It's actually being done in practice in several very significant
instances.  As far as "no point using", I don't know that I can argue
one way or the other or both.

	I know of several very large networks (an entire /16 for one)
that "went NAT".  It was a fully assigned portable /16 address space
(one of the old class B spaces) and they decided, for one reason or
another (mine is not to judge), they wanted to no longer be "routable"
and placed the entire /16 behind one or more NAT devices.  They then
withdrew the BGP advertisement for that address space, so it no longer
routes (or, at least, shouldn't).  Now, "no point", I can't say.  I don't
know what they point for WANTING NAT might be.  Once you take it NAT
though, you still probably want to keep those public addresses just to
avoid the pain of renumbering an address space of 65,536 addresses.

	Why anyone would want to take a network NAT, I don't know.  I
suppose they had some PHB that thought it would provide them with some
security, I guess.  I became aware of the network due to leakage from
that network that was observable in my own "dark net" making it possible
for me to map several of their subnets and identify a number of machines
behind that NAT infected with MSTDs (Microsoft Transmitted Diseases).
The network admins frecked over how much they were leaking and what
could be determined and the fact that they had a ragging infection
"in spite of their security".

	I really hated to point up to them that, by doing so, they
could actually open themselves up to address block hjacking if someone
decided to sumarily advertise their block (since it wouldn't conflict
with an existing advertisement).  They would have been better off
"going NAT" and then externally black holing their entire /16 into
a dead-end router somewhere and monitoring the BGP tables.  But...
Some people don't consider some of the unintended consequences of
their actions...

> However private IP addresses can be used without a NAT (an internet with 
> no connectivity to the Internet)
> http://www.faqs.org/rfcs/rfc1918.html

> And hence my (perhaps mistaken) belief that addresses used with NAT were 
> specifically called dark addresses. 

	I've never heard them called dark addresses.

	"Dark addresses" and "dark networks" are terms that are in use by
some of us and some of us (I for one) run dark networks.  These are also,
sometimes, referred to as "net telescopes".  They are addresses (public,
advertised, and fully routable) which have nothing on them and and configured
to not even return errors or ICMP returns.  Thus they are "dark" or "black
hole" addresses.  Packets route in, nothing ever comes back.  The largest
"dark network" I know of, for sure, is Cadia's /8 net telescope (mine
is a bit less than a /17).  These are what, at least in the security
community, are referred to as "dark addresses" or "dark networks".

	I also have some addresses which are "grey".  They respond to
pings "ICMP ECHO request and reply" but everything else is black holed.
That's set up for "bump and bite" malware that likes to ping an address
first and then attempt to connect to a target.  But that's not as
much in common use as the term "dark net" or "dark address" to refer
to addresses which are totally black holed and totally dark.

> Then again ... it may just have been a professor's pet term that got stuck 
> in my mind :)

> -- 
> Thanks,
> sriad

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available

More information about the Ale mailing list