Achieving RFC 1918 coverage

RFC 1918 is an internet standard published by the Internet Engineering Task Force (IETF) that defines best practices for private networking. RFC 1918 defines three address ranges that are reserved for private networking.

  • 10.0.0.0/8 or 10.0.0.0 – 10.255.255.255
  • 172.16.0.0/12 or 172.16.0.0 – 172.31.255.255
  • 192.168.0.0/16 or 192.168.0.0 – 192.168.255.255

Scanning the entire RFC 1918 space can allow you to identify subnets or assets that you were previously unaware of within your internal network.

Who is this playbook for and why?

This playbook is intended for runZero administrators that are interested in running discovery scans of the entire RFC 1918 private address space.

runZero offers a Full RFC 1918 discovery scan option that will discover assets across all three private address ranges as a single task. However, this scan option is only recommended for small networks with limited complexity and should only be leveraged in a single-site configuration. This playbook is intended for more advanced scenarios or larger, more complex networks.

How will runZero help?

runZero is able to discover subnets or assets that you may have been previously unaware of by scanning the entire RFC 1918 private address space. Using this approach can help you ensure that your asset inventory is complete.

What will I need to do?

In order to scan the entire RFC 1918 private address space, you will need to take the following steps:

  1. Determine how to divide the private address ranges.
  2. Create a scan template for each address range.
  3. Configure each scan.
  4. Review the RFC 1918 coverage report.

Steps to implement

The following are step-by-step instructions for running custom RFC 1918 scans across your network.

Step 1: Determine how to divide the private address ranges

Running a comprehensive RFC 1918 scan across a large network can take days or even weeks to complete. As a result, it is important that you break up this scanning into multiple tasks. While some trial and error may be needed to find a right balance for your organization, one option would be to break the scan up into six sections as follows.

Discovery Scope IP Address Range No. of IP Addresses
192.168.0.0/16 192.168.0.0 - 192.168.255.255 65,536
172.16.0.0/12 172.16.0.0 - 172.31.255.255 1,048,578
10.0.0.0/10 10.0.0.0 - 10.63.255.255 4,194,304
10.64.0.0/10 10.64.0.0 - 10.127.255.255 4,194,304
10.128.0.0/10 10.128.0.0 - 10.191.255.255 4,194,304
10.192.0.0/10 10.192.0.0 - 10.255.255.255 4,194,304

Step 2: Create an RFC 1918 scan template

Since you will be running multiple scans to cover all of the RFC 1918 private address ranges, creating a scan template will simplify the scheduling of scans and help ensure a consistent configuration across each scan.

  1. Add a template by selecting Tasks > Templates from the side navigation and then click Add template.

  2. Provide a Name for the template.

  3. Set the Scan rate to a minimum of 5,000 packets per second.

    If you're scanning across high-speed wired networks, setting the scan rate to 10,000 or more can be helpful to reduce the time it takes to complete a scan.
  4. Navigate to the Advanced configuration tab.

  5. Under Excluded hosts, exclude all subnets that are already being scanned by other tasks.

  6. Under Subnet sampling, enable Only scan subnets with active hosts and set an appropriate Sample rate and Subnet size.

    • The sample rate determines what percentage of addresses in each subnet are prescanned to determine if the subnet should be scanned.
    • The subnet size determines how many IP addresses are in each subnet.
    • By default, the subnet size is 256 addresses, corresponding to a /24 subnet, and 3% of the addresses in each subnet are prescanned.
    • If after running several scans you find that you are missing assets with the default 3% sample rate, then you can increase it. Keep in mind that as the sample rate increases so will the runtime for scans. If you determine that increasing the sample rate is necessary, an increase from 3% to 5% would be a reasonable first step.
    For your first RFC 1918 scan, runZero recommends using the default sample rate of 3% and the default size of 256.
  7. Navigate to the Probes and SNMP configuration tab.

  8. Under Advanced probe options, set Use defaults to No.

  9. Turn off probes that leverage third-party integrations. These probes can be turned on once recurring scans are scheduled on subnets with live assets. Deactivating these probes during an RFC 1918 scan will help shorten overall runtime.

  10. Save your template.

Step 3: Configure each of the RFC 1918 scans

Once you’ve created a scan template, it’s time to schedule each of the scan ranges identified in Step 1.

  1. Create a new scan task by selecting Tasks from the side navigation and then click Scan > Template scan.
  2. Type the name of the RFC 1918 scan template that you just created into the search bar.
  3. Select the radio button for the appropriate template and click Continue to scan configuration.
  4. Provide a Scan name.
  5. Update the Discovery scope with the first RFC 1918 address range, as determined in Step 1.
  6. Set the Start time to the time that you wish to start the scan.
  7. Click Initialize Scan.
  8. Follow the previous steps to schedule each of your RFC 1918 scans, as determined in Step 1.
Allow sufficient time for each scan to complete before the next scan starts. If this is your first time running an RFC 1918 scan, then we recommend scheduling the scans one at a time so that you can assess the time each takes to complete. This information can then be used to set a more appropriate schedule for any recurring scans.

Step 4: Review the RFC 1918 coverage report

Once you’ve completed all of the RFC 1918 scans, review the RFC 1918 coverage report. This report will show you which IPv4 subnets contain assets. After completing all your RFC 1918 scans, you should not see any subnets highlighted with a red box indicating that there are unscanned assets. The information in this report can be used to schedule recurring scans of subnets that contain live assets. The Subnet Utilization report is another useful report that can be used to find subnets with live assets. This report also allows you to export to CSV format, which can be useful for further analysis and scheduling recurring scans.

Other considerations

  • If you plan to run recurring RFC 1918 scans, consider implementing a dedicated Explorer or an Explorer with Max concurrent scans set to at least 2 so that other scan tasks are able to complete while the RFC 1918 scan is still running. Keep in mind that you may need to increase Explorer system resources above our minimum system requirements if you plan to run multiple concurrent scans with a single Explorer.

  • While an Explorer can have a max concurrent scans setting greater than 1, the results of these tasks are processed one at a time. Processing the results of a large RFC 1918 scan can take a considerable amount of time depending on the size of the result set. This could cause a delay in the processing and completion of other tasks.

  • In addition to RFC 1918 scanning, there are a couple of other options for finding gaps in your scanning. Review Identifying gaps in scanning for information on other techniques that can be employed to reduce scan coverage gaps.