1

I am developing a web system for my school (it's in PHP, but that's not important).

The system needs to have different behaviors depending on whether or not the user is on the school network (specifically, if they are not on the school network, they need to log in).

So I need a reliable, ideally foolproof (that may be asking too much...) way of checking whether clients are on the local network.

It seems that the usual way of doing this is comparing the user's subnet to the server's subnet. However, our school has multiple subnets (including multiple campuses each with multiple subnets as well as VPN), only one of which is the server's subnet. So that method won't work

I read RFC1918, which reserves the following IP spaces for private networks:

 10.*.*.*
 172.16.*.* - 172.31.*.*
 192.168.*.*

So could I just check if the client IP is within any of these private subnets? Is there any possibility that users outside of the network could have such an IP? Or that users connected to the school network would not have an IP in one of those ranges?

Community
  • 1
baum
  • 121
  • 3

2 Answers2

5

If your school is filtering incoming addresses at ingress then using RFC 1918 address-space as the sentinel for being "on the LAN" is probably fine. It seems a bit dodgy to me, frankly, using IP address as some kind of implicit authentication, but it'll work.

If your school isn't filtering RFC 1918 address space at ingress then it's theoretically possible that an attacker outside could get packets into your server sourced from RFC 1918 address space that's not being used by the school. That'll depend on how the upstream ISP from the school filters traffic.

When somebody is accessing your application from a LAN that's using RFC 1918 address space the remote user's edge device is going to NAT their source address to a public IP, so you won't be seeing RFC 1918 traffic coming in from the Internet (unless somebody is trying to do something devious).

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • OK, so it *shouldn't* happen under normal circumstances, but it could? (i.e. devious hacker) – baum Jun 19 '14 at 20:44
  • @baum - Yep. It depends on the ingress filtering and the upstream ISP. If the school's firewall admin is on their game anything trying to ingress from the Internet sourced from RFC 1918 address space will be dropped. – Evan Anderson Jun 19 '14 at 20:45
  • Well, our ISP is the state (public edu facility), so they should be "on their game"... but good to know, anyways. – baum Jun 19 '14 at 20:46
1

No way will that work. There's an enormous likelihood that the users, when on a different private network, will find that they are using an RFC1918 range. The RFC does not say that they are reserved for private use by only your school. Essentially every organization that doesn't have public IPs to throw away (almost all of them) is using RFC1918 addresses for endpoints.

The best, possibly only reliable, method is to have a hostname that is either or both:

  1. Only resolvable by the DNS servers at your uni that the client would be using.
  2. Only reachable from the inside of your network.

This is how things like Microsoft NLA (network location awareness) in Direct Access work. If you can't hit privateserver.myuni.edu, then you're on the public network and need to come in through the lobby.

/edit Bah. I misunderstood the question. I missed that it's a web system, I thought the requester was developing a client software component. Evan's answer is the appropriate answer.

mfinni
  • 36,144
  • 4
  • 53
  • 86