[HN Gopher] Pentagon retakes control of IP addresses it moved in...
___________________________________________________________________
Pentagon retakes control of IP addresses it moved in last minutes
of presidency
Author : arkadiyt
Score : 161 points
Date : 2021-09-11 15:01 UTC (7 hours ago)
(HTM) web link (www.washingtonpost.com)
(TXT) w3m dump (www.washingtonpost.com)
| EMM_386 wrote:
| Is it possible this is cronyism?
|
| Wasn't the US Government looking to sell these unused addresses
| to bring money in?
|
| What if this secretive shell company is just something run by a
| great campaign donor or someone close to the administration who
| planned on a good cut of these profits?
|
| It makes me very curious who is really behind this storefront in
| Plantation, FL.
| wmf wrote:
| The value of these addresses is peanuts to the DOD... although
| it would be a fortune if it made its way into someone's pocket.
| rbanffy wrote:
| I'm willing to bet some money that, whoever they are, they play
| golf at Mar-a-Lago.
| IAmEveryone wrote:
| This would be my bet, as well. The company being registered in
| Florida also supports it, even if it's not definitive.
|
| People get thrown off by it being the Pentagon and come up with
| all these James-Bond-level theories. But DoD just happens to be
| the owner for historic reason.
| betwixthewires wrote:
| I was reading a thread on this site about the program and there
| was speculation that since these IPs are mothballed, lots of
| people use the address range for internal networks, particularly
| in China, and potentially this experiment was to get lots of
| networks worldwide to accidentally leak internal network traffic
| to the pentagon. Who knows what this thing was, but that sounds
| like something a government would do.
| pbronez wrote:
| Defense Digital Service is pretty solid. I'm not worried about
| this.
| count wrote:
| Solid at what?
| kjaftaedi wrote:
| You don't wonder at all why they needed a private company?
| dillondoyle wrote:
| For tech & engineering specifically, sometimes used to get
| above the govt salary caps. But standard industrial complex
| profit maker makes sense too lol
| BrianOnHN wrote:
| Cover story. As in the DDS is the cover story for how easy it
| is to do a money grab in the US gov.
| Lammy wrote:
| I figured they just like it that way for the deniability,
| e.g. https://en.wikipedia.org/wiki/Southern_Air_Transport
| [deleted]
| platz wrote:
| did someone roll a nat 20 in shadowrun
| alasdair_ wrote:
| Doesn't shadowrun only use d6 for all rolls?
| twirlock wrote:
| Linking to paywalls should not be allowed. Obvious example of our
| intelligentsia thinking it's magically special in all domains of
| life, and now that Reddit has spread to every last corner of the
| internet, we just accept it.
| programmarchy wrote:
| Could this be related to the SolarWinds hack? Maybe the Pentagon
| was monitoring traffic to surveil vulnerable corporate
| infrastructure.
| resoluteteeth wrote:
| Could you explain how this would work?
| programmarchy wrote:
| Not exactly but here's some quotes from an article earlier
| this year [1]:
|
| > Goldstein described the project as one of the Defense
| Department's "many efforts focused on continually improving
| our cyber posture and defense in response to advanced
| persistent threats. We are partnering throughout DoD to
| ensure potential vulnerabilities are mitigated."
|
| > Expanding on his [Madory] point that the Defense Department
| may want to "scare off any would-be squatters," he wrote that
| "there is a vast world of fraudulent BGP routing out there.
| As I've documented over the years, various types of bad
| actors use unrouted address space to bypass blocklists in
| order to send spam and other types of malicious traffic."
|
| > On the Defense Department's goal of collecting "background
| Internet traffic for threat intelligence," Madory noted that
| "there is a lot of background noise that can be scooped up
| when announcing large ranges of IPv4 address space."
|
| [1] https://arstechnica.com/information-
| technology/2021/04/penta...
| bwj982 wrote:
| Under what circumstances can internal traffic leak to external
| addresses in 11.0.0.0/8? I'd have thought it wouldn't have been
| routed via a gateway if the traffic is local.
| 0x0000000 wrote:
| Routing decisions are made via route tables, which may include
| routes learned from different means: connected routes ("I have
| an interface in this network"), static routes, and routes
| learned from routing protocols (BGP, OSPF, et al). While any
| given routing protocol has it's own cost metric for selecting
| the best path, if a router has multiple routes to a network,
| learned from different means, there must be a way to select
| which route to install in the route table.
|
| This can be tuned, but often goes in order of connected,
| static, _external BGP_ , followed by internal BGP and other
| interior gateway protocols.
|
| So, yeah if you learn a route from eBGP, you very well may take
| that path out of your own AS out to the global Internet, as
| opposed to internally where you are (incorrectly) using someone
| else's public space.
|
| (Edit: network here includes a prefix length, where more
| specific prefixes are chosen over less specific ones. In the
| case, the public announcement is 11.0.0.0/8. If you were using
| this space internally, you would presumably have more specific
| routes than a /8)
| lvs wrote:
| I don't really understand the premise of the article. There's no
| need to change control of an ip space in a registry to assign it
| to some piece of network hardware. The ownership change seems to
| serve no purpose under the offered explanation that its purpose
| was bulk collection.
| nickthemagicman wrote:
| Why does the federal government STILL have control over 6% of the
| internet IP's?
|
| Edit: added the word still. I know the history but that was like
| 20 years or more ago.
|
| Why did they still have so much IP space?
| wrs wrote:
| The same reason Apple, Ford, and Bell Labs still have giant
| blocks -- they got in at the beginning when allocation of 4
| billion addresses seemed like a non-problem, and haven't sold
| out.
|
| https://www.iana.org/assignments/ipv4-address-space/ipv4-add...
| merrywhether wrote:
| I think I found a way for the USPS to fund the pensions for
| all their future yet-to-be-born workers...
| gjsman-1000 wrote:
| Holy moly, Apple owns _all_ of 17 . * . * . * (workaround for
| HN formatting)? Wow. That 's over 16 million IP addresses.
| Fun.
| deathanatos wrote:
| CIDR notation is how you notate these; Apple owns
| 17.0.0.0/8; the /8 meaning "8 bits identify the network
| portion", so just the first octet, or the 17.
|
| https://en.wikipedia.org/wiki/Classless_Inter-
| Domain_Routing...
|
| Coincidentally, CIDR doesn't conflict with the HN comment
| syntax.
|
| Sometimes shortened to 17/8, but... I wouldn't recommend
| that.
| iso1210 wrote:
| Apple at least is a major IT company, but Ford!
| rbanffy wrote:
| They needed IP addresses for all their computers. ;-)
| count wrote:
| They use a ton of it. Millions and millions of devices around
| the globe on a bunch of networks.
| ajross wrote:
| "The internet", in the sense of the big TCP/IP v4 network we
| know today, was a DARPA-funded enhancement to the original
| ARPANET.
|
| The Pentagon owns a big chunk of the internet because the
| Pentagon paid for the internet, basically. The more interesting
| bit is how much it they gave away for free, not how much it
| kept.
| chrisco255 wrote:
| We paid for the internet. The Pentagon is paid for by taxes.
| CameronNemo wrote:
| Alright, and the "we" you refer to still technically own
| those addresses.
| nickthemagicman wrote:
| But why? after all these years why did they still have
| those?
| chrisseaton wrote:
| Why does anyone have an IP address? To use them.
| kasey_junk wrote:
| It's a strategic asset. The same reason there are giant
| collections of old military planes out in the desert. You
| never know when you might need it.
| Roritharr wrote:
| I wondered about those lately. Do you happen to know if
| they are really in a state to make them flightworthy
| again if push came to shove?
|
| I would have expected them to have deteriorated to a
| point where restoring them becomes a bigger effort than
| building new planes.
| slapfrog wrote:
| It's a dry climate and aluminum doesn't just rot. It
| would obviously take some money and work to bring planes
| out of mothballs, and probably in some cases unrepairable
| damage would be discovered, but I would expect most of
| the planes to successfully reactivate if the need was
| great enough. Those that couldn't be reactivated could be
| cannibalized for spare parts.
|
| Consider that the Iowa class battleships spent some
| decades deactivated, sitting in salt water, before being
| reactivated several times.
| dboreham wrote:
| They know what they're doing. But there aren't really old
| planes in the boneyard now. 1980s vintage and later plus
| a few muesum pieces that haven't been towed to the museum
| yet. The oddest thing out there is the tooling to make
| B1-B airframes.
| CydeWeys wrote:
| It used to have control over 100% of them, so this is a big
| improvement.
| qbasic_forever wrote:
| The internet was created by DARPA.
| eurasiantiger wrote:
| This can be independently verified by running a reverse DNS
| lookup, which asks the name server for a magic domain:
| 1.2.3.4 becomes "4.3.2.1.in-addr.arpa", which then yields NS
| records for the actual domains served from that address.
| snowwrestler wrote:
| To address your edit, they still do because it doesn't really
| matter. We have mitigated IPv4 exhaustion with NAT, and IPv6
| adoption is still growing. No one cares enough to try to do
| anything about it.
|
| If you made a list of "most popular concerns about the Internet
| in 2021," the size of U.S. federal IP space would be pretty far
| down.
| nickthemagicman wrote:
| NAT has problems. It isn't the same as having an IP address.
|
| IPV6 is the solution but has been in adoption forever.
|
| I just don't understand what the government needs with all of
| those IP addresses and what kind of sneaky stuff it's doing
| behind the scenes.
| SllX wrote:
| It's not sneaky to own that much address space; just
| inertia. Remember that the Internet is an outgrowth of
| ARPANET.
| Retric wrote:
| Because they paid to create it initially and have yet to sell
| their address space. There are some great stories early on that
| break down to: "Why are all these civilians on our network?"
| swarnie wrote:
| Because they can.
|
| Who's going to take it off them?
| 1970-01-01 wrote:
| The highest bidder.. China.
| mc32 wrote:
| No because it was first come first served in addition to
| having sprouted from a government program.
|
| Universities who got on the bandwagon first also tended to
| have multiple class B addresses.
| icedchai wrote:
| I know several individuals who have /24's ("class C")
| blocks, including myself. I always regret not going for the
| class B. It would've just taken a couple of emails back in
| 1993.
| zamadatix wrote:
| The first place I was a network admin at they had a /16.
| I didn't deal with private IPs until I left that company
| in 2015. Even the printers were on a public IP.
| [deleted]
| swarnie wrote:
| A great answer in the late 70s, what's the reason for
| holding on to them today?
| slapfrog wrote:
| Possession is 9/10th of the law? They already have them,
| making it easy for them to keep them.
| Xorlev wrote:
| Back when IPv4 was enough for everyone, huge blocks of IPs were
| granted to corporations and governments.
| est31 wrote:
| Because the internet originated from a federal government
| project. The federal government of the USA also owns 28% of the
| land in the USA, means it owns 1.7% of the total land on earth.
|
| Also, early owners got huge allocations. And the US government
| is an early owner.
| mfer wrote:
| I wonder if that company was a shell company setup by a 3 letter
| agency
| ceejayoz wrote:
| That seems like a fairly dumb idea. The point of a CIA shell
| company is to hide the link to the government, isn't it?
| GenerocUsername wrote:
| And here we are uncertain. what's your point again?
| cpncrunch wrote:
| https://archive.is/Y16Bg
| jvdvegt wrote:
| Does anyone know why I can't reach archive.is anymore from The
| Netherlands these days?
| CameronNemo wrote:
| Are you using Cloudflare DNS?
|
| https://jarv.is/notes/cloudflare-dns-archive-is-blocked/
| stingraycharles wrote:
| Oh man this explains so many issues I have had with
| archive.is, I couldn't pinpoint the problem. Thanks for
| sharing this, things finally make sense now.
| kevincox wrote:
| I have Cloudflare with fallback to Google and I need to
| refresh a few times to make it fallback and work. This spat
| is kinda ridiculous.
| lugged wrote:
| Is this a Mac thing? You're not meant to use DNS fallback
| for different providers.
| gumby wrote:
| I can't see what a Mac has to do with this at all.
|
| Also I can't imagine why you might think that "You're not
| meant to use DNS fallback for different providers." That
| was precisely the point it was originally designed for.
| The whole point of multiple resolvers is to have
| diversity of risk. If both your resolvers are from the
| same organization there's a higher chance that whatever
| took one out took the other out as well.
| true_religion wrote:
| I'm not really understanding the crux of it. Even if
| archive.is doesn't get your location via DNS, won't they
| get it anyways immediately one millisecond later when you
| issue an HTTP GET request?
| cyounkins wrote:
| Yes, the receiving webserver will get the IP with the
| HTTP GET, but it's mostly too late to be useful for
| serving users from a server with minimal latency.
|
| The EDNS client subnet feature reveals the clients subnet
| (but not entire IP) to the nameserver that answers the
| DNS query, which is then cached by Cloudflare/Google.
| This allows the nameserver to do geolocation at the DNS
| stage and direct the end user to a server with minimal
| latency.
|
| Without EDNS client subnet, you could get the IP for an
| archive.is frontend in a different continent and have a
| slow site experience. While the frontend server will get
| your IP, it's too late to do much about it under normal
| circumstances. An HTTP redirect would cost time, and
| you'd have to have different domains for each data
| center/region which is one thing you can avoid with the
| client subnet feature to start with.
| CameronNemo wrote:
| Frankly they (archive.is) wouldn't have this issue if
| they used BGP anycast. DNS was never designed to
| facilitate regional load balancing.
| NickNameNick wrote:
| I thought anycast wasn't reliable for TCP sessions?
|
| You can serve UDP services (eg DNS) by anycast, but if
| you hosted a tcp service, there's no guarantee the same
| server would receive consecutive packets from the tcp
| stream
| entropicgravity wrote:
| I can't reach it from Canada either right now.
| [deleted]
| [deleted]
___________________________________________________________________
(page generated 2021-09-11 23:01 UTC)