North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Can a customer take IP's with them?

  • From: Howard C. Berkowitz
  • Date: Fri Jun 25 17:01:09 2004 
At 3:29 PM -0400 6/25/04, Eric Gauthier wrote:

 > Only one customer?  There are a couple "consulting" firms in

 particular around here that use arbitrary space on internal
 networks.  Sometimes a currently-dark IP block is configured, so
 "it works for us".  It gets annoying after a while.

The worst one I've seen so far is Ticketmaster... last month.  If you want to
sell tickets through them and connect via the network, they require you to
have a private, backend connection to them and then require you to route
29.2.0.0/15, 29.4.0.0/15, and 29.6.0.0/16 via that connection.
Several third-party health payors, as well as a few HMOs and the like, do exactly this sort of thing with medical service providers. It makes hospital addressing, at times, rather interesting.

Some of them used the rationalization that if the space wasn't in the Internet routing table, it was more secure. To make it worse, a couple further expected you to address some of your hosts with their bogus address space, and then run transport-mode IPSec to them.

If you have never had a good sized hospital decide you are their new ISP (or network manager), it's good to find someone that will write prescriptions for legal drugs. On your first site visit, when you start discovering some of their addressing oddities, you will want to go to the pharmacy and get the scripts filled, to help you get through the day.

While newer applications, if anything, go overboard for security, some earlier medical applications, especially laboratory instrumentation, just send all their data to 255.255.255.255. I asked one of the programmers why they did that, and he said they didn't know if somebody might plug in a device that needed the data, so they didn't want to be bothered putting in support for it.

You will find there are now an assortment of security and privacy laws that the hospital has to support, HIPAA being the best known, but also 21CFR11 for clinical trials, DEA electronic prescribing of controlled substances, and COPPA for pediatric data. Unfortunately, no one has ever decided to harmonize the security requirements for the different mandates. If it helps put things in perspective, the legislation enabling recent extensive modifications and additions to HIPAA was titled the HIPAA Administrative Simplification Act. George Orwell would have loved it.