nebula icon indicating copy to clipboard operation
nebula copied to clipboard

Published 20 hours ago verified publisher icon slackhq

Question: Multiple unsafe routes with the same IP and subnets

Open spacehitchhiker42 opened this issue 2 years ago • 3 comments

I'm working on trying to set up remote access for some industrial machinery. Each machine has a private internal network, and changing any of those I.P. addresses would be unfeasible. The intent here is that the machine builder has their own overlay network for monitoring, and the integrator has an overlay network with access to the internal subnets for troubleshooting. How would I avoid collisions in the 192.168.1.x subnet? Is there a way to set things up so that the troubleshooting laptop can only see the private subnet of a certain machine whenever necessary? Is it even possible for a single node to be a member of two networks at the same time?

overlay_diagram

spacehitchhiker42 avatar Feb 28 '22 23:02 spacehitchhiker42

Without thinking about the exact mechanics too hard I think this is possible to do but inadvisable. If I absolutely had to do this I would probably do it by shifting the conflicting subnets to alternate address ranges through the use of NAT. In other words, even though locally they are all 192.168.1.0/24 when accessed via the overlay network they would be mapped to non-conflicting addresses.

There are many good reasons not to do this. A few I can think of:

  • If something in the applications you are using to access over the overlay requires the addresses to be 192.168.1.0/24 that will break.
  • Troubleshooting will become much more difficult and complex
  • You are essentially connecting things together that were not intended to connect together.
  • You are making what were isolated networks with limited attack vectors much more accessible.

There are probably some reasons that things were setup this way and you will potentially be inserting a number of gaping security holes by doing this. You need to thoroughly understand the security issues involved with all of the systems, networks, and overlay networking before doing this. You also need to understand the network engineering challenges and potential pitfalls involved.

A better, but less convenient choice, is to use a totally separate overlay network for each isolated network and to only connect to one at a time. Some of the potential issues still exist but the are much more manageable with less complexity.

bfranske avatar May 18 '22 05:05 bfranske

One answer is that you can use any cidr range that is a valid private range like https://en.wikipedia.org/wiki/Private_network

so you could use unique cidr ranges for each overlay network

jasikpark avatar May 19 '22 14:05 jasikpark

From what I've heard, it sounds like the best solution for this problem is for each of the computers running unsafe_routes (or maybe it's the HMI integrator computers?) to use IP masquerading as a simple form of NAT to translate the duplicate IP addresses into unique IP addresses that can be addressed in your nebula network

jasikpark avatar May 27 '22 15:05 jasikpark