For devices and systems that do not need full, unmediated internet connectivity, use of private IP addresses (“10net”) improves security by preventing direct access from entities outside the UW network and conserves UW’s limited IPv4 address space.
The service includes four elements:
- Provide campus-wide routing of private address space.
- Provide DHCP service on a per-subnet basis. (This requires coordination with the UW-IT Service Center to convert to private address DHCP.)
- Provide a Public and a Private view of the DNS zones.
- Provide Network Address Translation (NAT) from private addresses to (a relatively small number) of UW public addresses.
The aggregate effect is to allow a subnet to (optionally) be configured such that attached computers, by default, are not accessible from outside UW, but can still initiate outbound connections.
Hosts configured with standard public/global addresses (e.g., most servers) would not derive any security benefit from this feature. Furthermore, this service offers no protection from attacks exploiting hosts within the UW network.
Use of campus-wide private addresses is intended to supplement, but not replace, firewall and/or host-based security measures.
For those needing access to the private internal UW network from remote locations, see Husky OnNet.
Hosts that do not require connectivity off their own subnet have always been able to use private addresses, but many systems require cross-subnet connectivity within the UW network, even if they do not need (any or full) connectivity to the entire internet.
Many years ago, UW developed Project 172 (“p172”). P172 provided a new class of campus-wide network service analogous to what a typical home LAN user experiences when behind a residential gateway — one that provides an additional measure of protection against “outside” attacks against certain networked systems. P172 used the 172.16.0.0-172.31.255.255 range of addresses and provided a one-to-one mapping between the public and private subnet. In these deployments, both p172 and public addresses were provisioned in single vlans.
Over time, as more UW groups migrated to p172 addresses, a huge imbalance developed between extensive use of assigned p172 private address space and unused (but assigned) public address space. In addition, having both p172 and public addresses in a single vlan complicates security efforts in preparing for a future with production internet use of IPv6 addresses.
UW-IT will no longer offer p172 address assignments. Existing deployments are still supported and will continue to work for the foreseeable future, but p172 will not be allocated for provisioning of new networks. Going forward, new private addressing services will be offered via 10net.
New private address sub-networks will be provisioned out of the 10.x range of addresses (“10net”).
To help conserve public address space and to make ongoing maintenance as simple as possible:
- There will not be a one-to-one subnet mapping between the public and private subnet.
- A 10net sub-network might not have a public IP address range.
- UW-IT will typically provision a significantly larger amount of 10net space on a sub-network to avoid the need to renumber in the future.
- The smallest allocation in 10net space will be a /23 (~500 hosts).
- 10net addresses will be configured in vlans separate from vlans using public addresses.
- The default gateway will always be on the ‘.1’ address (and .2, .3, .4 will all be reserved for network equipment).
- Legacy Network Migrating to 10net space
184.108.40.206/24 (public IP space, 10/252 used)
172.22.80.0/24 (p172 – deprecated, 27/252 used)
10.146.112.0/23 (10net, DHCP)
- 10net network in a residence:
10.154.80.0/23 (10net, DHCP)
- 10net network in a department
10.155.128.0/20 (10net, DHCP)
220.127.116.11/27 (~28 hosts on public addresses)
The campus-wide private network service element uses the 10.0.0.0/8 and 172.16.0.0/12 private address space as defined by RFC1918.
The 10net private address routing is a ‘branded’ service in the sense that UW-IT provides the routing infrastructure to route between the private address space and the public space, and it is managed and monitored by our Network Operations Center (NOC).
The NAT function is performed by dedicated UW-IT NAT/firewall devices with each NAT device configured for redundancy in the event of a failure of either the NAT module or the core router that is connected to it.
As globally routable IPv4 space has become more scarce, UW-IT has begun routing additional blocks of RFC1918 IPv4 space on the campus network without public equivalents. Campus users interested in setting up private networks using RFC1918 space should consult the Campus RFC1918 Space Usage Policy.
UW-IT has reserved the 10.64.0.0/16 block of IPv4 space for the use of campus departments when coordination is not needed. UW-IT will not route any space in this block on the campus network. UW-IT does not track allocations out of this block by campus users.
In addition, UW-IT does not allocate space on the campus network out of the 192.168.0.0/16 block. Due to the popularity of this block for many applications, we do not encourage its use.
For 10net address assignments, DHCP configuration for your subnet, static 10net addresses requests, DNS registration of your systems, or general questions about the service, please contact Customer Services at firstname.lastname@example.org.