Beware Factory Default IP Address

Address Space

One of the earliest design decisions that a network administrator must face, involves the assignment of IP address space.  Many administrators abdicate this responsibility, and succumb to the temptation of using the factory default address space assigned by the manufacturer of their gateway / router.  This article discusses the perils of such a decision.

It is common practice for manufacturers to assign one of the following IP addresses to the LAN / Management interface of a gateway / router: / 24, / 24, / 24

The 24-bit prefix (/24) implies a network mask of  The network mask is used in routing decisions, which you don’t need to understand, in order to benefit from this article.

Using a factory default address assignment is not inherently a problem, but it invites a problem.  Each network interface attached to the network, requires a uniquely assigned IP address.  If two interfaces are assigned the same address, this duplication creates conflict, and results in connectivity issues.  If an address conflict exists with the default gateway, this is particularly problematic, and difficult for some to diagnose.  How does such a scenario arise?  Quickly.  A single unauthorized employee, let’s call him “bonehead” (no relation); introduces a rogue device (e.g.: wireless access point), with the same factory default address assignment, and that’s itYou’re in it.

Think this doesn’t happen?  Read on.


Situational Background

We received a call from a new client; a mid-sized software company that serves the manufacturing sector.  For several months, they had been plagued with intermittent connectivity issues.  External clients were unable to establish or maintain connections to in-house servers.  Internal employees were unable to establish or maintain connections to Internet resources.  At any given time, some hosts (computers) would be symptomatic, while others remained asymptomatic, without apparent rhyme or reason.  During our discussion, we determined that internal hosts could connect to internal resources, without issue.  This was an important clue.


Technical Background

Hosts typically require the services of a default gateway, to connect to resources on other IP networks.  To communicate with the gateway, a host needs to resolve the gateway’s Media Access Control (MAC) address, via the Address Resolution Protocol (ARP).  The host broadcasts an ARP request, asking all devices configured with the gateway’s IP address, to respond with their corresponding MAC address.  The gateway should be the only responder to such a request.  However, when an IP address conflict exists, the other device will respond as well.  Hosts cache ARP responses (Fig. 1) in an ARP table until they time out, or are overwritten.  Unfortunately, a race condition existsOnly one of the two responses can be cached.  The determination as to which response is cached, is a matter of timing.  When an erroneous ARP response is cached, the host will forward frames intended for the gateway, to the other device instead, with consequence.  This state will persist until the erroneous ARP cache entry is overwritten with the correct MAC address, at which time, symptoms will subside, for that host.  If the host happens to be a server, then the implications are magnified.  The intermittent nature of the symptoms, is directly attributable to this variability.

user@host:~$ ip neigh show dev eth0 lladdr 00:12:01:a1:b2:c3 REACHABLE

Figure 1. An ARP cache entry on a Debian (Linux) host.


Human Factors

An employee decided that he needed more connectivity than what his employer had provided.  He had access to a hobbyist-class Linksys gateway / router, with an integrated switch (i.e.: multiple LAN ports).  He connected the gateway to the network, and used the increased port density it afforded him, to provide connectivity for his computer, and other devices.  The Linksys gateway had a factory default IP address assigned to its LAN / Management interface, which happened to conflict with the factory default address assigned to the corporation’s default gateway.  This individual’s actions plagued the company for months.


Lesson to be Learned

Had the network administrator chosen to use IP address space that was not commonly used by manufacturers as a default, the network would have been able to tolerate the rogue device, without penalty.

Had Shakespeare been a network administrator, his most notable quote may have been – “To use, or not to use, that is the question”.

The answer to said question, “use factory default addressing at your own peril”.

last modified: 2020.03.09, 19:18 -0400