Network/Network Addressing
Addington network addressing and naming plan
Prefixes and Subnets
Prefixes we own
| Prefix | Description |
|---|---|
| 76.10.176.53/32 | Addington HQ router global address |
| 206.248.144.216/29 | IPv4 global addresses routed to Addington HQ (paid Teksavvy service) |
| 2607:f2c0:f00f:1900::/56 | “Big” IPv4 prefix on Addington HQ service (the one we use; nominally dynamic delegation). v6 subnets at the annex are also from this space, routed via tunnel to HQ. |
| 2607:f2c0:a000:0108::/64 | “Small” IPv4 prefix on Addington HQ service (the one we don’t use) |
Prefix allocations
| v4 | v6 | VLAN | Desc |
|---|---|---|---|
| 10.143.16.0/24 | 2607:f2c0:f00f:1910::/64 | HQ16 | “Console” subnet |
| 10.143.21.0/24 | 2607:f2c0:f00f:1915::/64 | - | Addington router-to-modem Ethernet (to mdm-dsl-0) |
| 10.143.22.0/24 | 2607:f2c0:f00f:1916::/64 | AX22 | Girouard router-to-modem VLAN |
| 10.143.22.0/24 | 2607:f2c0:f00f:1917::/64 | - | Wireguard VPN tunnel, Addington HQ to Girouard annex |
| 10.143.48.0/24 | 2607:f2c0:f00f:1930::/64 | HQ48 | At the moment, print0 |
| 10.143.64.0/24 | 2607:f2c0:f00f:1940::/64 | HQ64 | General use “family” wired subnet |
| 10.143.65.0/24 | 2607:f2c0:f00f:1941::/64 | HQ65 | General use “family” WiFi (“fam-65-tabarnak-{24,5}”, WPA2-PSK) |
| 10.143.66.0/24 | 2607:f2c0:f00f:1942::/64 | AX66 | Annex “family” WiFi (“2100 Girouard #200 fam-66 {2.4G,5G}”, WPA2-EAPTLS) |
| 10.143.143.0/24 | 2607:f2c0:f00f:198f::/64 | HQ143 | Public/untrusted WiFi network (“3558 Addington Public {2.4GHz,5GHz}”, no auth) |
| 10.143.144.0/24 | 2607:f2c0:f00f:1990::/64 | AX144 | Annex untrusted WiFi network (“2100 Girouard #200 Public-144 {2.4GHz,5GHz}”, no auth) |
| 10.143.194.48/30 | 2607:f2c0:f00f:19c2:3000::/72 | HQ316 | “Global”, see 206.248.144.216 |
| 10.143.194.52/30 | 2607:f2c0:f00f:19c2:3400::/72 | HQ317 | “Global”, see 206.248.144.217 |
| 10.143.194.56/30 | 2607:f2c0:f00f:19c2:3800::/72 | HQ318 | “Global”, see 206.248.144.218 |
| 10.143.194.60/30 | 2607:f2c0:f00f:19c2:3c00::/72 | HQ319 | “Global”, see 206.248.144.219 |
| 10.143.194.64/30 | 2607:f2c0:f00f:19c2:4000::/72 | HQ320 | “Global”, see 206.248.144.220 |
| 10.143.194.68/30 | 2607:f2c0:f00f:19c2:4400::/72 | HQ321 | “Global”, see 206.248.144.221 |
| 10.143.194.72/30 | 2607:f2c0:f00f:19c2:4800::/72 | HQ322 | “Global”, see 206.248.144.222 |
| 10.143.240.0/24 | - | JBASH | Wireguard subnet interconnecting jbash’s personal devices |
| 76.10.176.53/ | - | - | HQ router public address |
| 206.248.144.216/32 | (see 10.143.194.48/30) | HQ316 | Global IPv4 for sip-dect6-0 (phone) |
| 206.248.144.217/32 | (see 10.143.194.52/30) | HQ317 | Global IPv4 for ipa-0 (LDAP/Kerberos/etc) |
| 206.248.144.218/32 | (see 10.143.194.56/30) | HQ318 | Global IPv4 for warren (not in use) |
| 206.248.144.219/32 | (see 10.143.194.60/30) | HQ319 | Global IPv4 for Blue (not in use) |
| 206.248.144.220/32 | (see 10.143.194.64/30) | HQ320 | Global IPv4 for jbash (mctl) |
| 206.248.144.221/32 | (see 10.143.194.68/30) | HQ321 | Global IPv4 for jbash (spare) |
| 206.248.144.222/32 | (see 10.143.194.68/30) | HQ322 | Global IPv4 for filer-0 (file server) |
Firewall trust classes
Class names
| Name | Use |
|---|---|
| ADMIN | Devices trusted to manage infrastructure |
| TRUSTY | “Family” subnets |
| UNKNOWN | Outside Internet, public WiFi, etc. |
| SUSPECT | IoT devices, “cloud” crap, stuff that should only connect to specific places. |
Class privileges
These are modified on a per-host basis as necessary. For example, most “SUSPECT” hosts need to connect to various “UNKNOWN” cloud services to get their jobs done. SSH is allowed pretty broadly.
We (will in the future) try to enforce restrictions on SUSPECT hosts even when they’re talking within their own subnets, using various MAC-layer hackery to force their traffic through the local router for filtering.
| Conn. from | To ADMIN | To TRUSTY | To UNKOWN | To SUSPECT |
|---|---|---|---|---|
| ADMIN | Yes | Yes | Yes | Yes |
| TRUSTY | No | Yes | Yes | Yes |
| UNKNOWN | No | Usually no | Yes | No |
| SUSPECT | No | No | By permission | No |
Obsolete material/Under revision
IPv4 numbering scheme/address format
Most subnets are implemented as VLANs on the two switches. Some VLANs may be bridged to corresponding WiFi networks. Traffic betwen VLANs is managed by the primary router/firewall, which also acts as a VM host for VMs hosting network infrastructure VMs (DNS, DHCP, NTP, etc.).
The router is connected to the gigabit switch using an 802.1q trunk. Hosts managing VMs can also be on 802.1q, but inter-VLAN traffic still goes through the router.
Static Internet-routable ("global", "external") IPv4 addresses
We have one global address by virtue of having a Teksavvy account, and we pay for an additional /28. The first global address is automatically given to the router. Global addresses in the extra /28 subnet are individually assigned to internal hosts using host routes.
Router WAN interface (76.10.176.53)
This is the source address for outgoing NATed traffic (meaning most of the traffic we generate). It's also the address we use for many incoming services, which are then port forwarded to the corresponding internal addresses.
We seem to have gotten this address consistently for years. I think it's "assigned" to us, but need to check.
Port forwarding for incoming connections from the Internet
The router address also has the following port forwards and local services (check router configuration for authoritative list):
- TCP/21, FTP: Forwarded to the public filing/mirroring service?
- TCP/22, SSH: Router management, SSH-based VPN forwarding. Local service.
- TCP/80, HTTP: Forwarded to our internal Web server, which gives
access to--
- Wiki/CMS
- Public mirrors (media, distros, etc)
- UDP/123, NTP: NTP speaker (actually on the router)
- */500, IKE, IPsec: VPNs with outside world (family VPN, USA VPN, etc)
- TCP/2222, SSH nonstandard: Forwarded to Cisco lab management system
Assigned static IPv4 (206.248.144.216/29)
Will change these assignments soon; laptops don't really need public addresses, and it's a PITA to support mobility. Probably will reassign to P2P services, privacy services, PBXes, etc.
One of these addresses may have a dedicated VLAN, or may be overlaid onto one of our internal VLANs. Filtering is always special-cased.
- 206.248.144.216 - Host-zero address! Assigned to Siemens IP phone
- 206.248.144.217 - Address of router (infra)
- 206.248.144.218 - Allocated for Warren's laptop, apparently not being used
- 206.248.144.219 - Blue's laptop (bluebell)
- 206.248.144.220 - jbash Cisco laptop (prime candidate for recycling)
- 206.248.144.221 - jbash active laptop (candyfloss)
- 206.248.144.222 - Presently used for public services on paunch
- 206.248.144.223 - Theoretically broadcast; may be usable in desperation
Internal (RFC1918) IPv4 address format (Prefix/16 + net type/4 + net number + host/8)
The first 4 bits after the fixed prefix are always a subnet type. The remaining 12 bits are split between subnet number and host number. For subnet types 0-7, the subnet number is alway 4 bits and the subnet mask is always /24. Other net types may use other splits.
Internal IPv4 Prefix (10.143.0.0/16)
All internal addresses have prefix 10.143.0.0/16.
Transparent Tor IPv4 Prefix (10.144.0.0/16)
=
We use 10.144.0.0/16 for dynamic assignment of Tor pseudo-addresses. Tor requires at least a /16 for this. This is treated as an untrusted part of the outside Internet.
Subnet type defined
The 4-bit subnet type defines the security and routing policy for the net; to first order, all subnets with the same type have the same policy.
Types 0-7 are relatively "normal" networks with regular 24-bit subnet masks and non-pathological access policies. Within such 24-bit subnets, there's a host numbering standard upon which the firewall relies.
Types 8 and above are things that may have different subnet masks or more complex policies that require stupid mask tricks. Host numbers in this space can't be relied upon for much.
Subnet types are used for the following:
- Subnet numbers (net type followed by ID within type)
- VLAN numbers (for "internal" networks, these are always the same as "subnet number" in 3rd octet of IPv4; values over 1000 are special cases)
- Tagging packets in the firewall (also may mask type out of an address)
Each net type has an associated general firewall/NAT/routing policy. This is for general convenience, but is not absolutely to be relied upon; there may be case-by-case exceptions for hosts or even subnets.
Assigned subnet types and numbers
Type 0 (10.143.0.0/20): Reserved for future use
Not sure about this type. The concept is that things like DBMSs may only need to talk to "front end" services, and not directly to clients. Would talk to public and family services.
Type 1 (10.143.16.0/20): Infrastructure management ("mgt")
System management, building systems and the like. Never talks directly to the Internet or to any untrusted or guest device. Family devices and internal services on a case-by-case basis. Can generally talk among itself. Permitted to initiate to internal net services. Some subnets may be able to initiate to outside systems.
- Switch/router/AP management interfaces
- Consoles
- VM host management interfaces
- Lighting, HVAC, electrical, water, etc.
- Alarm system
- Sensors
- Surveillance
Allocated:
- 10.143.16.0/24: Network device management interfaces and consoles
- 10.143.17.0/24: Electrical, water, lighting, HVAC, etc.
- 10.143.18.0/24: Building security: alarms, door locks, etc.
- 10.143.19.0/24: Misc. sensors
- 10.143.20.0/24: Surveillance
- 10.143.21.0/24: Link from site router/firewall to DSL modem to Internet
Type 2 (10.143.32.0/20): Public services ("pub")
Services that may need to talk to random hosts out on the Internet as well as to local/internal stuff.
- DNS
- NTP except it's on the router...
- Kerberos KDC
- LDAP server
- RADIUS server
- VPN connection points
- Shoutcast
- Media and software distro mirrors
- Wiki?
- Telephony/conferencing
Allocated:
- 10.143.32.0/24: Core IP infrastructure and authentication (NTP, DNS, Kerberos, LDAP, RADIUS)
- 10.143.34.0/24: General services, including Web and "media"
- 10.143.35.0/24: Telephony (physical devices for now; may add for VMs)
Type 3 (10.143.48.0/20): Internal services ("int")
Things that provide services to local users, and even to guests, but that shouldn't be accessible over the Internet except perhaps via VPN. These can't initiate to anything.
- "Pure" printers (no scan/fax)
- 3D printer
Type 4 (10.143.64.0/20): Family-only data ("fam")
Carries data (clients and services) only for use by family members. Not reachable from the Internet (except via VPNs) or to guests. High-numbered hosts can *initiate* to the Internet (see host numbering convention).
- Family devices (laptops, phones, etc).
- Calendar
- Finance DBs
- Wiki??
- Personal filing
- Family shared filing
Allocated:
- 10.143.64.0/24: Family wired net (servers and clients)
- 10.143.65.0/24: Family wireless net (may need to eliminate and bridge for address stability)
- 10.143.72.0/24: Family VPN (remote access to in-house services)
Type 5-6 (10.143.80.0/20, 10.143.96.0/20): Reserved for future use
Type 7 (10.143.112.0/20): Invited guests ("gst")
People we've actually asked to use our network, and who might need to use our local services. These differ from "untrusted" in that they can initiate to one another and to public services and the Internet.
Allocated:
- 10.143.112.0/24: Guest WiFi
Type 8 (10.143.128.0/20), mostly /28 subnets: Untrusted devices ("unt")
Anything that we want to provide with Internet access, but don't trust to behave nicely. These devices aren't allowed to talk to each other, or to any non-public service, but can talk to the Internet. Some may receive incoming connections from the Internet.
- Printer/FAX/scanner
- Phone
- Roku
- Wii
- Public wireless
- Any P2P or similar service
Allocated:
- 10.143.128.0/28: Uplink for Cisco VPN router (Cisco box thinks this is the "Internet")
- 10.143.128.16/28: Uplink for RIPE NCC "RIPE Atlas" probe (ripe-probe.kdjf.net)
- 10.143.143.0/24: Public WiFi access
The transparent Tor addresses in 10.144.0.0/16 are vaguely in this class, although it's really more correct to see them as part of the outside Internet.
Type 9 (10.143.144.0/20): VPN and tunnel overlays ("ovl")
Used within VPNs which should not be routed into any "real" network. A central VPN "access point" or "concentrator" assigns one of these addresses to each device directly using the VPN, and NATs any traffic that arrives from such addresses, so the addresses never show up outside the VPN itself. A device on the VPN may route traffic to the concentrator's VPN address to make it cross the VPN.
Note that the "remote access" VPN for family use is NOT in this type, but is a regular routed network in the family address space, so that devices on it can communicate with internal stuff without being NATed.
Allocated:
- 10.143.144.0/24: VPN to USA (NATed exit at vps1.velvet.com)
Types 0xa - 0xb: Reserved for future assignment
Types 0xc - 0xf (10.143.192.0/18): Restricted to device area of network ("lcl")
Used "internally" to a host or a mutually consenting part of the network. For example
- Virtual nets for networking among VMs internal to a host.
- Office or lab networks (NATed off from "main" network)
- "Subnet number" for a subnet used only as a target for a host route to one of our global addresses.
These should never appear on the wire in the "main" part of the network, and are filtered out by routers and firewalls if they do show up. The same subnet may be reused in multiple isolated domains.
Conventionally:
- 10.143.192.0/24: Purely host-internal network between host and VMs (vmnet1)
- 10.143.193.0/24: VMs NATed to outside using host masquerading (vmnet8)
- 10.143.194.x/30: Links from the main router to globally-addressed hosts
- 10.143.224.0/19: Tor addresses returned from the main router to hosts on the transparently torified subnet
VLAN numbers
NB: IEEE defines VLANs up to 4096, but the old Cisco 3500XL 100M switch can only handle up to 1001.
| 0-255 | Used for IP subnets within 10.143.0.0/16; VLAN number matches third octet |
| 532 | "Old" public network on 10.0.132.0/24; used during transition |
| 561 | "Old" internal network on 10.0.161.0/24; used during transition |
| 568 | Subnet in Cisco address space (10.20.126.240/28) |
| 716-723 | Subnets used for links to individual hosts in 206.248.144.216/29 |
Host numbering for subnet types 0 through 7 (always /24 masks)
Overall numbering plan
IPv4
| 1 | Router "upstream" toward Internet. |
| 2-5 | Routers "downstream" or alternate outgoing routers |
| 6-15 | Local switches and APs (if they're not the router and have addresses on the subnet). Switches grow up from 6, APs grow down from 15. These won't appear on most subnets; you'll find them largely on subnet 16. |
| 16 | Local DHCP server or helper (if different from router/switch/AP) |
| 17-31 | Local services and "overflow" infrastructure (more routers/switches/whatever). Services grow down from 31, infrastructure up from 17. These aren't available off this subnet. |
| 32-95 | "Global" host assignments (a host in this range has the same number on all subnets on which it appears). |
| 96-159 | Segment-local static host assignments, including DHCP-backed static assignments |
| 160-223 | Dynamic/floating DHCP host assignments |
| 224-239 | Reserved for future assignment |
| 240-254 | Short-term manual hacks |
| 255 | Broadcast |
IPv6
"Clients" may use MAC-based addresssing or "privacy" addressing.
Things with statically assigned IPv4 addresses will put their IPv4 host numbers in the bottom octets of their IPv6 addresses.
Restricted hosts for "local" or "backend" services (1-31)
Hosts 1-31 on all subnets are used for "subnet-local" services, meaning services primarily used by other hosts within the subnet itself. For example, may services on the "public" services network might use a DBMS backend, but the backend itself wouldn't normally talk to anything that's not on the subnet. Hosts 1-31 are always inaccessible from the Internet, although they may be given special dispensation to initiate to the Internet.
Local services may also be inaccessible from some internal hosts that can reach the rest of the subnet. However, all or nearly all local services are available from family and management subnets.
Global host numbers (32-95)
Some hosts appear on multiple subnets, usually for performance reasons. We try to give these hosts the same number on every subnet.
Symbolic naming
Host device names
Names of PROTOCOLs are reserved for use as aliases for the servers family and internal devices should use by default. Thus "smtp" points to the best default choice for an outgoing mail server, "imap" to the usual mailbox server, etc. If there are multiple servers for a protocol, they may be given numbered aliases ("smtp-0"), but the bare protocol name will always point to a reasonable default.
Single-purpose shared and service-providing DEVICEs are named by function and numbered. There's always a number, even if there's only one of the device. Numbers start from zero. The number is separated from the name by a hyphen. Examples: "router-0", "filer-0", "printer-0". If the device offers essentially the same service using multiple protocols, the name of the service is used. If the service exists in multiple network types, the network type is included: "public-web-0".
VM HOSTs are named "vmhost-n", and may have network types if all the VMs they host are in the same type.
Personal devices and pure clients are named whimsically according to personal preference.
DNS names for individual interface IP addresses
If a device has only one IP address, it gets only one DNS name, and the reverse mapping for its IP address goes to that name. If the device moves around, it's responsible for using DNS dynamic update to set the address associated with its name.
If a device has multiple active IP addresses for different NICs, forward DNS mapping for the "bare" host name goes to all of them. Each interface address also gets a DNS name of the form "device-netn", where n is the 8-bit "subnet" octet of the name. In addition, the device may have aliases of the form "device-interface", where interface is the name the device uses internally for the interface (eg "foobar-eth0").
Reverse mappings for all addresses go to the "bare" device name, this being the least-worst choice since it avoids breaking spoof checks on other hosts.
Symbolic network names (netgroups, ESSIDs, etc)
Network names are of the form "type-number[-desc]", where:
- type is the symbolic name of the network type (eg "ctl", "fam", "pub")
- number is the entire subnet/VLAN octet, or two octets if the subnet mask is longer than /24. Thus it includes both the type code and the individual subnet number
- desc is an optional word explaining what the network does. Every network always has an alias which omits the descriptive word.
Network names resolve in DNS to "network.0" (which in turn reverse maps to the network name) . "networkname-bcast" resolves to "network.255".
ESSIDs
ESSIDs are of the form "3558Adtn:network-name".
- 3558Adtn:fam-65-family
- 3558Adtn:gst-112-invited
- 3558Adtn:unt-143-openwifi
