coroot icon indicating copy to clipboard operation
coroot copied to clipboard
verified publisher icon coroot

100.64.0.0/10 are not public and not a critical security risk

Open shamrin opened this issue 6 months ago • 2 comments

I have got a an entry in Risk page for a service exposed on internal 100.* Tailscale address:

Publicly exposed database on IP 100.105.46.81 through the NodePort services 

Image

This address is not public. Details:

  • https://tailscale.com/kb/1015/100.x-addresses
  • https://datatracker.ietf.org/doc/html/rfc6598#section-7

shamrin avatar Aug 21 '25 19:08 shamrin

Agree, I though very similar errors in the well known solutions like PRISMA. And more interesting - if you accidentally used a public addresses in your infrastructure like 172.32.13.32 (because you missed the network mask) and the security agent could not distinguish it... even it is set up in cluster paraments - https://kubernetes.io/docs/concepts/cluster-administration/networking/#kubernetes-ip-address-ranges and they are set up in kubeadm configuration: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#initializing-your-control-plane-node

And the opposite could be right - when you are using addresses from RFC1918 and for some them reason they became accessible from the provider network (it is possible when route leak happened - but it is definitely abnormal situation)

gecube avatar Sep 28 '25 19:09 gecube

@shamrin this is weird, Coroot has always treated 100.64.0.0/10 as a private block (https://github.com/coroot/coroot/blob/main/utils/ip.go#L15)

def avatar Sep 30 '25 09:09 def