What is 10-Space and What Does it Do?
10-Space can be described as a "parallel network" that prevents a system from communicating with off-campus sites while still giving hosts on-campus connectivity.
This article applies to: DNS
10-Space uses RFC-1918 addresses to do this. RFC-1918 is the document that defines private address space. For more information, see http://www.faqs.org/rfcs/rfc1918.html.
The ranges defined by RFC-1918 are not routed across the Internet, which is what makes them "private." Cornell filters traffic to ensure that no direct connectivity can be had to or from 10-space hosts.
In addition to its allocated routable space, each VLAN on the Cornell network has the corresponding subnet of 10.0.0.0/8 as well. Hosts can be placed in 10-space simply by replacing the first 'octet' of 128 or 132 with 10. The gateway for 10-space hosts similarly has the first octet replaced with 10.
You can associate hostnames with 10-Space IP addresses and assign 10-space addresses to specific hosts through Network and Host Registration Host List Maintenance as you would for real-space addresses.
Note: 10-Space hostnames will not work off campus, but they are accessible via the VPN.
You can assign dynamic DHCP addresses using 10-Space, but you cannot assign both real and 10-Space addresses via dynamic DHCP on a single VLAN. You can mix statically assigned addresses via DHCP, though.
220.127.116.11/24 has the 10-Space network 10.253.180.0/24 overlaid on it. Systems on this VLAN can use addresses in either subnet. The gateway for the 10-Space host is 10.253.180.1.
- No NUBB bills for hosts: Hosts assigned a 10-Space IP address cannot directly connect to anywhere off campus.
- No scanning/hacking attempts from off-campus: Connections to 10-Space are not permitted to enter our network.
- Double the address space available to network administrators.
To allow systems assigned a 10-Space address to connect to off-campus services, the host will have to use a proxy.
- Individual departments can deploy their own proxies to allow 10-Space systems to connect off campus.
- CIT offers a proxy that allows 10-Space systems to access operating system software updates, virus software updates, and some application updates. Use of this proxy requires no configuration changes for the client system.
Traffic between a real-space address and a 10-Space address on the same VLAN will go through the gateway router. Any traffic filtering, including Managed Firewall, that affects the subnet will be applied to that traffic.
Though 10-Space addressed hosts cannot be directly attacked from outside the Cornell network, they are still vulnerable to attacks from on-campus hosts. 10-Space addressed hosts should be maintained as any other campus host should be.