Achieving RFC 1918 coverage
RFC 1918 is an internet standard published by the Internet Engineering Task Force (IETF) that defines best practices for private networking. RFC 1918 defines three address ranges that are reserved for private networking.
- 10.0.0.0/8 or 10.0.0.0 – 10.255.255.255
- 172.16.0.0/12 or 172.16.0.0 – 172.31.255.255
- 192.168.0.0/16 or 192.168.0.0 – 192.168.255.255
Scanning the entire RFC 1918 space can allow you to identify subnets or assets that you were previously unaware of within your internal network.
Who is this playbook for and why?
This playbook is intended for runZero administrators that are interested in running discovery scans of the entire RFC 1918 private address space.
runZero offers a Full RFC 1918 discovery scan option that will discover assets across all three private address ranges as a single task. However, this scan option is only recommended for small networks with limited complexity and should only be leveraged in a single-site configuration. This playbook is intended for more advanced scenarios or larger, more complex networks.
How will runZero help?
runZero is able to discover subnets or assets that you may have been previously unaware of by scanning the entire RFC 1918 private address space. Using this approach can help you ensure that your asset inventory is complete.
What will I need to do?
In order to scan the entire RFC 1918 private address space, you will need to take the following steps:
- Determine how to divide the private address ranges.
- Create a scan template for each address range.
- Configure each scan.
- Review the RFC 1918 coverage report.
Steps to implement
The following are step-by-step instructions for running custom RFC 1918 scans across your network.
Step 1: Determine how to divide the private address ranges
Running a comprehensive RFC 1918 scan across a large network can take days or even weeks to complete. As a result, it is important that you break up this scanning into multiple tasks. While some trial and error may be needed to find a right balance for your organization, one option would be to break the scan up into six sections as follows.
|Discovery Scope||IP Address Range||No. of IP Addresses|
|192.168.0.0/16||192.168.0.0 - 192.168.255.255||65,536|
|172.16.0.0/12||172.16.0.0 - 172.31.255.255||1,048,578|
|10.0.0.0/10||10.0.0.0 - 10.63.255.255||4,194,304|
|10.64.0.0/10||10.64.0.0 - 10.127.255.255||4,194,304|
|10.128.0.0/10||10.128.0.0 - 10.191.255.255||4,194,304|
|10.192.0.0/10||10.192.0.0 - 10.255.255.255||4,194,304|
Step 2: Create an RFC 1918 scan template
Since you will be running multiple scans to cover all of the RFC 1918 private address ranges, creating a scan template will simplify the scheduling of scans and help ensure a consistent configuration across each scan.
- Add a template by selecting Tasks > Templates from the side navigation and then click Add template.
- Provide a Name for the template.
- Set the Scan rate to a minimum of 5,000 packets per second.
- Navigate to the Advanced configuration tab.
- Under Excluded hosts, exclude all subnets that are already being scanned by other tasks.
- Under Subnet sampling, enable Only scan subnets with active hosts and set an appropriate Sample rate and Subnet size.
For your first RFC 1918 scan, runZero recommends using the default sample rate of 3% and the default size of 256.
- The sample rate determines what percentage of addresses in each subnet are prescanned to determine if the subnet should be scanned.
- The subnet size determines how many IP addresses are in each subnet.
- By default, the subnet size is 256 addresses, corresponding to a /24 subnet, and 3% of the addresses in each subnet are prescanned.
- If after running several scans you find that you are missing assets with the default 3% sample rate, then you can increase it. Keep in mind that as the sample rate increases so will the runtime for scans. If you determine that increasing the sample rate is necessary, an increase from 3% to 5% would be a reasonable first step.
- Navigate to the Probes and SNMP configuration tab.
- Under Advanced probe options, set Use defaults to No.
- Turn off probes that leverage third-party integrations. These probes can be turned on once recurring scans are scheduled on subnets with live assets. Deactivating these probes during an RFC 1918 scan will help shorten overall runtime.
- Save your template.
Step 3: Configure each of the RFC 1918 scans
Once you’ve created a scan template, it’s time to schedule each of the scan ranges identified in Step 1.
- Create a new scan task by selecting Tasks from the side navigation and then click Scan > Template scan.
- Type the name of the RFC 1918 scan template that you just created into the search bar.
- Select the radio button for the appropriate template and click Continue to scan configuration.
- Provide a Scan name.
- Update the Discovery scope with the first RFC 1918 address range, as determined in Step 1.
- Set the Start time to the time that you wish to start the scan.
- Click Initialize Scan.
- Follow the previous steps to schedule each of your RFC 1918 scans, as determined in Step 1.
Step 4: Review the RFC 1918 coverage report
Once you’ve completed all of the RFC 1918 scans, review the RFC 1918 coverage report. This report will show you which IPv4 subnets contain assets. After completing all your RFC 1918 scans, you should not see any subnets highlighted with a red box indicating that there are unscanned assets. The information in this report can be used to schedule recurring scans of subnets that contain live assets. The Subnet Utilization report is another useful report that can be used to find subnets with live assets. This report also allows you to export to CSV format, which can be useful for further analysis and scheduling recurring scans.
If you plan to run recurring RFC 1918 scans, consider implementing a dedicated Explorer or an Explorer with Max concurrent scans set to at least 2 so that other scan tasks are able to complete while the RFC 1918 scan is still running. Keep in mind that you may need to increase Explorer system resources above our minimum system requirements if you plan to run multiple concurrent scans with a single Explorer.
While an Explorer can have a max concurrent scans setting greater than 1, the results of these tasks are processed one at a time. Processing the results of a large RFC 1918 scan can take a considerable amount of time depending on the size of the result set. This could cause a delay in the processing and completion of other tasks.
In addition to RFC 1918 scanning, there are a couple of other options for finding gaps in your scanning. Review Identifying gaps in scanning for information on other techniques that can be employed to reduce scan coverage gaps.
If you need assistance in building out this process, you can book a session with a runZero Customer Success Engineer to discuss further.