Contents Computing at Cornell Home Page Site Index Search
Contents About: Services Policies Security News Help For: Students Faculty Staff Technical Support Providers CIT Contact List 		 
Computing at Cornell Resources for Technical Support Providers

10-Space IP Addressing at Cornell

** What is 10-Space and what does it do?

The simplest way to describe 10-Space is that it is a "parallel network" that prevents a system from communicating with off-campus sites while still giving hosts on-campus connectivity. 10-Space uses RFC-1918 addresses to do this. RFC-1918 is the document that defines private address space.

http://www.faqs.org/rfcs/rfc1918.html
The full ranges defined by RFC-1918 are 10.0.0.0/8, 192.168.0.0/16, and 172.16.0.0/12. These ranges are not routed across the Internet, which is what makes them "private".

Every VLAN on the Cornell network has a network in 10.0.0.0/8. These subnets are routed across the Cornell network. Each subnet has a version where the first octet is 10. The subnets are the same size and addressed the same way as their "real" versions. You can assign any of these 10-Space addresses to any of the hosts on your subnet.

You can associate hostnames with 10-Space IP addresses and assign 10-space addresses to specific hosts through Network and Host Registration Host List Maintenance as you would for real-space addresses. (Note, 10-Space hostnames will not work off campus.)

http://www.cit.cornell.edu/computer/support/hostreg/

The gateway for the entire VLAN is the 10-Space version of the real-space gateway address.

You can assign dynamic DHCP addresses using 10-Space, but you cannot assign both real and 10-Space addresses via dynamic DHCP on a single VLAN. You can mix statically assigned addresses via DHCP, though.

** 10-Space example

128.253.180.0/24 has the 10-Space network 10.253.180.0/24 overlaid on it. Systems on this VLAN can use addresses in either subnet. The gateway for the 10-Space host is 10.253.180.1.

** Benefits of using 10-Space

Since hosts assigned a 10-Space IP address cannot directly connect to anywhere off campus, there will be no NUBB bills for these hosts.

Also, since we do not permit connections to 10-Space to enter our network, there can be no scanning/hacking attempts from off-campus.

Also, 10-Space doubles the address space available to network administrators.

** Some considerations when using 10-Space

To allow systems assigned a 10-Space address to connect to off-campus services, the host will have to use a proxy.

  • Individual departments can deploy their own proxies to allow 10-Space systems to connect off campus.
  • CIT offers a proxy that allows 10-Space systems to access operating system software updates, virus software updates, and some application updates. Use of this proxy requires no configuration changes for the client system. The sites that are currently being proxied though CIT's proxy can be found here: http://transproxy.cit.cornell.edu:8888/proxied.html

Traffic between a real-space address and a 10-Space address on the same VLAN will go through the gateway router. Any Edge ACLs that affect the subnet will be applied to that traffic.

Though 10-Space addressed hosts cannot be directly attacked from outside the Cornell network, they are still vulnerable to attacks from on-campus hosts. 10-Space addressed hosts should be maintained as any other campus host should be. Information on how best to secure systems can be found:

For more information on how to use 10-Space on your subnet, contact the Network Operations Center at noc@cornell.edu or 607-255-9900.


Computing at Cornell Homepage CUinfo CIT Contact List Send Us Feedback

Last updated: June 04, 2007