IP Address is Not Identity
May 3, 2011 1 Comment
When TCP/IP first developed by DARPA in the 1970s, every host on the ARPANET got an IP address. The “hosts” file which still exists on every computer mapped addresses to hosts until it was superseded by the Domain Name System (DNS). Certainly it was possible to do tricks like mapping more than one name (A record) to an IP address or provide CNAME aliases and multihomed hosts with multiple IP addresses are allowed. But more-or-less, historically an IP address maps to a computer. Furthermore, until recently IP addresses were doled out by ARIN and others in big blocks. Anyone who had a hint of a need could get IP addresses in lots of 256 addresses, sometimes called a Class C subnet or a “/24”. In the late 1990s in the Mid-Atlantic region of the USA, a T-1 came with 256 IP addresses and it was easy to get another 256 or more with the most modest excuse.
Historically, therefore, there is a notion that an IP address is pretty much a host and that host is part of a block of IP addresses which are managed by some entity which owns that computer and all the others in the subnet.
We are out of IP addresses and this world where a host is an IP address and a /24 is controlled by a single entity no longer exists.
IPv6 may be the solution but the reality is that nobody is using it. In today’s world IP addresses are shared by multiple computers and even multiple companies using a variety of schemes including
- Virtual hosting
- Network Address Translation (NAT)
- Dynamic address allocation (DHCP)
- Shared service computing (SaaS, Application Service Provider, Cloud Computing, etc) The bottom line is that an IP address is no longer reliably associated with any kind of identity. That email you just got might be coming from a Google Apps IP address or maybe one from Office 365 that is originating mail for hundreds of companies. The IP address behind this web server is most assuredly being used to host hundreds or thousands of sites. On the client end, if you have a Verizon LTE device, then you have a publically un-routable 10.x.x.x address and are being NATed onto the public Internet with some IP address shared by many others.This new reality complicates Internet security decisions because these days IP addresses are more granular than hosts and maybe more granular than organizations. The bottom line is that manipulating access control by IP address should be considered a blunt instrument virtually guaranteed to carry unintended side-effects unless the parties owning the addresses are well-known to each other.